Fortinet black logo

Handbook

Configuring application control traffic shaping

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:204835
Download PDF

Configuring application control traffic shaping

Application control traffic shaping gives you more control over the amount of bandwidth that applications use. If an application is necessary, but you need to prevent it from impacting bandwidth, you can use a traffic shaping policy to limit the amount of bandwidth that the application is permitted to use, instead of blocking it entirely. Applying traffic shaping to applications is useful for managing bandwidth-intensive applications, such as YouTube, that use the same TCP and UDP port numbers as mission-critical applications.

Application control traffic shaping works together with shared traffic shapers and per-IP traffic shapers in traffic shaping policies. You can control traffic by application, application category, and FortiGuard web filter categories (URL category). You configure application control traffic shaping in the FortiGate GUI or FortiGate CLI, by performing the following tasks:

  1. Enable application control in a security policy.
  2. Create a traffic shaper with the bandwidth settings that you want to enforce.
  3. Create a traffic shaping policy, where you configure application control options, enable the traffic shaper, and specify which security policy to apply the traffic shaper to.

Enabling application control in a security policy

Create a general Internet access security policy and enable application control in the policy. Alternatively, you can edit an existing security policy.

Enable application control in a security policy – GUI
  1. Go to Policy & Objects > IPv4 Policy.
  2. Select Create New.
  3. In the Name field, enter a name for the security policy.
  4. Set the Incoming Interface field to the appropriate incoming interface.
  5. Set the Outgoing Interface field to the appropriate outgoing interface.
  6. Set the Source field to the appropriate source.
  7. Set the Destination field to the appropriate destination.
  8. Set the Schedule field to the schedule that you want to use.
  9. Set the Service field to the service and service group names that you want to use.
  10. Set the Action field to ACCEPT.
  11. In the Security Profiles section, enable Application Control, and select an application control profile.
  12. Select OK.
Enable application control in a security policy – CLI

config firewall policy

edit <policy_ID>

set name <policy_name>

set srcintf <incoming_interface>

set dstintf <outgoing_interface>

set srcaddr <source_address_name>

set dstaddr <destination_address_name>

set schedule <schedule_name>

set service <service>

set action accept

set utm-status enable

set application-list <application_list>

set nat enable

next

end

Creating a traffic shaper with the bandwidth settings that you want to enforce

Create traffic shapers with the bandwith settings that you want to apply to applications. You can create shared policy traffic shapers or per-IP traffic shapers.

To create a shared policy shaper, see Configuring shared policy traffic shaping.

To create a per-IP traffic shaper, see Configuring per-IP traffic shaping.

Creating a traffic shaping policy

Create a new traffic shaping policy and apply it to the security policy that you created above.

Create a traffic shaping policy – GUI
  1. Go to Policy & Objects > Traffic Shaping Policy.
  2. Select Create New.
  3. In the IP Version field, select IPv4 or IPv6.
  4. In the Name field, enter a name for the traffic shaping policy.
  5. In the If Traffic Matches section, set the following options:

    GUI option

    Value

    Source

    Set this to the appropriate source.

    Destination

    Set this to the appropriate destination.

    Service

    Set this to the service and service group names that you want to use.

    Application

    Select applications that you want to apply traffic shaping to.

    Select application categories that you want to apply traffic shaping to.

    URL Category

    Set this to a FortiGuard web filter category.

  6. In the Then section, set the following options:

    GUI option

    Value

    Action

    Apply Shaper

    Outgoing interface

    Set this to the outgoing interface that matches the outgoing interface of the security policy that you want to apply traffic shaping to.

    Shared shaper

    Enable this option, and select a traffic shaper in the drop-down list.

    Reverse shaper

    Enable this option, and select a traffic shaper in the drop-down list.

    Per-IP shaper

    Enable this option, and select a traffic shaper in the drop-down list.

  7. Select OK.
Create a traffic shaping policy – CLI

config firewall shaping-policy

edit <shaping_policy_ID>

set ip-version {4 | 6}

set name <policy_name>

set srcaddr <source_address>

set dstaddr <destination_address>

set service <service_name>

set application <application_name>

set app-category <application_category_ID_list>

set url-category <URL_category_ID_list>

set dstintf <destination_interface_list>

set traffic-shaper <traffic_shaper_name>

set traffic-shaper-reverse <reverse_traffic_shaper_name>

set per-ip-shaper <per_IP_shaper_name>

next

end

Example: Configuring traffic shaping for Facebook

The following example shows how to configure application control traffic shaping for Facebook, with a medium priority.

Example using the FortiGate GUI

Create a general Internet access security policy by completing the following tasks:

  1. Go to Policy & Objects > IPv4 Policy.
  2. Select Create New.
  3. Set Name to Internet access.
  4. Set Incoming Interface to Internal.
  5. Set Outgoing Interface to wan1.
  6. Set Source to all.
  7. Set Destination to all.
  8. Set Schedule to always.
  9. Set Service to ALL.
  10. Set Action to ACCEPT
  11. In the Security Profiles section, enable Application Control, and select the default application control profile.
  12. Select OK.
Example using the FortiGate CLI
  1. Create a general Internet access security policy by entering the following commands:

    config firewall policy

    edit 1

    set name Internet access

    set srcintf Internal

    set dstintf wan1

    set srcaddr all

    set dstaddr all

    set schedule always

    set service ALL

    set action accept

    set utm-status enable

    set application-list default

    set nat enable

    next

    end

  2. Create a new traffic shaping policy and apply it to the security policy that you created above by entering the following commands:

    config firewall shaping-policy

    edit 1

    set ip-version 4

    set name Facebook

    set srcaddr all

    set dstaddr all

    set service ALL

    set application 15832

    set app-category 23

    set url-category 37

    set dstintf wan1

    set traffic-shaper medium-priority

    set traffic-shaper-reverse medium-priority

    next

    end

Configuring application control traffic shaping

Application control traffic shaping gives you more control over the amount of bandwidth that applications use. If an application is necessary, but you need to prevent it from impacting bandwidth, you can use a traffic shaping policy to limit the amount of bandwidth that the application is permitted to use, instead of blocking it entirely. Applying traffic shaping to applications is useful for managing bandwidth-intensive applications, such as YouTube, that use the same TCP and UDP port numbers as mission-critical applications.

Application control traffic shaping works together with shared traffic shapers and per-IP traffic shapers in traffic shaping policies. You can control traffic by application, application category, and FortiGuard web filter categories (URL category). You configure application control traffic shaping in the FortiGate GUI or FortiGate CLI, by performing the following tasks:

  1. Enable application control in a security policy.
  2. Create a traffic shaper with the bandwidth settings that you want to enforce.
  3. Create a traffic shaping policy, where you configure application control options, enable the traffic shaper, and specify which security policy to apply the traffic shaper to.

Enabling application control in a security policy

Create a general Internet access security policy and enable application control in the policy. Alternatively, you can edit an existing security policy.

Enable application control in a security policy – GUI
  1. Go to Policy & Objects > IPv4 Policy.
  2. Select Create New.
  3. In the Name field, enter a name for the security policy.
  4. Set the Incoming Interface field to the appropriate incoming interface.
  5. Set the Outgoing Interface field to the appropriate outgoing interface.
  6. Set the Source field to the appropriate source.
  7. Set the Destination field to the appropriate destination.
  8. Set the Schedule field to the schedule that you want to use.
  9. Set the Service field to the service and service group names that you want to use.
  10. Set the Action field to ACCEPT.
  11. In the Security Profiles section, enable Application Control, and select an application control profile.
  12. Select OK.
Enable application control in a security policy – CLI

config firewall policy

edit <policy_ID>

set name <policy_name>

set srcintf <incoming_interface>

set dstintf <outgoing_interface>

set srcaddr <source_address_name>

set dstaddr <destination_address_name>

set schedule <schedule_name>

set service <service>

set action accept

set utm-status enable

set application-list <application_list>

set nat enable

next

end

Creating a traffic shaper with the bandwidth settings that you want to enforce

Create traffic shapers with the bandwith settings that you want to apply to applications. You can create shared policy traffic shapers or per-IP traffic shapers.

To create a shared policy shaper, see Configuring shared policy traffic shaping.

To create a per-IP traffic shaper, see Configuring per-IP traffic shaping.

Creating a traffic shaping policy

Create a new traffic shaping policy and apply it to the security policy that you created above.

Create a traffic shaping policy – GUI
  1. Go to Policy & Objects > Traffic Shaping Policy.
  2. Select Create New.
  3. In the IP Version field, select IPv4 or IPv6.
  4. In the Name field, enter a name for the traffic shaping policy.
  5. In the If Traffic Matches section, set the following options:

    GUI option

    Value

    Source

    Set this to the appropriate source.

    Destination

    Set this to the appropriate destination.

    Service

    Set this to the service and service group names that you want to use.

    Application

    Select applications that you want to apply traffic shaping to.

    Select application categories that you want to apply traffic shaping to.

    URL Category

    Set this to a FortiGuard web filter category.

  6. In the Then section, set the following options:

    GUI option

    Value

    Action

    Apply Shaper

    Outgoing interface

    Set this to the outgoing interface that matches the outgoing interface of the security policy that you want to apply traffic shaping to.

    Shared shaper

    Enable this option, and select a traffic shaper in the drop-down list.

    Reverse shaper

    Enable this option, and select a traffic shaper in the drop-down list.

    Per-IP shaper

    Enable this option, and select a traffic shaper in the drop-down list.

  7. Select OK.
Create a traffic shaping policy – CLI

config firewall shaping-policy

edit <shaping_policy_ID>

set ip-version {4 | 6}

set name <policy_name>

set srcaddr <source_address>

set dstaddr <destination_address>

set service <service_name>

set application <application_name>

set app-category <application_category_ID_list>

set url-category <URL_category_ID_list>

set dstintf <destination_interface_list>

set traffic-shaper <traffic_shaper_name>

set traffic-shaper-reverse <reverse_traffic_shaper_name>

set per-ip-shaper <per_IP_shaper_name>

next

end

Example: Configuring traffic shaping for Facebook

The following example shows how to configure application control traffic shaping for Facebook, with a medium priority.

Example using the FortiGate GUI

Create a general Internet access security policy by completing the following tasks:

  1. Go to Policy & Objects > IPv4 Policy.
  2. Select Create New.
  3. Set Name to Internet access.
  4. Set Incoming Interface to Internal.
  5. Set Outgoing Interface to wan1.
  6. Set Source to all.
  7. Set Destination to all.
  8. Set Schedule to always.
  9. Set Service to ALL.
  10. Set Action to ACCEPT
  11. In the Security Profiles section, enable Application Control, and select the default application control profile.
  12. Select OK.
Example using the FortiGate CLI
  1. Create a general Internet access security policy by entering the following commands:

    config firewall policy

    edit 1

    set name Internet access

    set srcintf Internal

    set dstintf wan1

    set srcaddr all

    set dstaddr all

    set schedule always

    set service ALL

    set action accept

    set utm-status enable

    set application-list default

    set nat enable

    next

    end

  2. Create a new traffic shaping policy and apply it to the security policy that you created above by entering the following commands:

    config firewall shaping-policy

    edit 1

    set ip-version 4

    set name Facebook

    set srcaddr all

    set dstaddr all

    set service ALL

    set application 15832

    set app-category 23

    set url-category 37

    set dstintf wan1

    set traffic-shaper medium-priority

    set traffic-shaper-reverse medium-priority

    next

    end