This article describes how to apply traffic shaping (QoS) to throttle outbound traffic.
Scope
FortiGate.
Solution
In this example, traffic shaping will be demonstrated over IPsec and throttling outbound RDP on FGT_A.
Topology:
LAN (172.16.10.0/24) == FGT_A ==IPSEC TUNNEL== FGT_B == LAN(192.168.36.0/24)
FGT_A’s Configuration.
Firewall Policy:
config firewall policy edit 6 set srcintf "port1" set dstintf "toFGT_B" set action accept set srcaddr "toFGT_B_local" <-- Source address 172.16.10.0/24 set dstaddr "toFGT_B_remote" <-- Destination address 192.168.36.0/24 set schedule "always" set service "RDP" next end
Static Route:
config router static edit 2 set device "toFGT_B" <-- VPN Tunnel set dstaddr "toFGT_B_remote" <----- Destination to 192.168.36.0/24. next end
Traffic Shaper:
config firewall shaper traffic-shaper edit "1MB-Shaper-Throttle" set maximum-bandwidth 1024 next end
Traffic Shaping Policy:
config firewall shaping-policy edit 1 set name "RDP_Shaping" set service "RDP" set srcintf "port1" set dstintf "toFGT_B" set traffic-shaper "1MB-Shaper" set srcaddr "toFGT_B_local" set dstaddr "toFGT_B_remote" next end
FGT_B’s Configuration.
Firewall Policy:
config firewall policy edit 1 set name "vpn_toFGT_A_remote" set srcintf "toFGT_A" set dstintf "port2" set srcaddr "toFGT_A_remote" <----- Source address 172.16.10.0/24. set dstaddr "toFGT_A_local" <----- Destination address 192.168.36.0/24. set action accept set schedule "always" set service "RDP" next end
Static Route:
config router static edit 2 set device "toFGT_A" set dstaddr "toFGT_A_remote" <----- Destination to 172.16.10.0/24. next end
For testing, a file transfer from 172.16.10.2 to 192.168.36.2 will performed over RDP:
On the host 172.16.10.2, ~1MB are sent:
On host device 192.168.36.2, ~1MB are received:
On FGT_A under Policy & Objects > Traffic Shaping, the shaper created is throttling the transfer over RDP:
