Basic FortiGate Traffic Shaping Introduction

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey guys Mike here um I'm going to do a video that basically discusses traffic shaving for you I just got done uploading or updating my four to Wi-Fi 61 EE that I used for my lab 2 604 for those of you that don't know this except for 603 I had a GUI load issue where if you know if you're going to DHCP monitor IPSec monitor or help a lot of the pages it would just sit there and spin unless you clicked off of it or did certain things so 6 f4 fix that for me but yeah this video is gonna be a traffic shaping a very basic approach to traffic shaping so it may cause you guys to ask questions that you didn't already know or that come to mind because you just didn't really understand how it works and that's fine just hit them up in the comments not answer however I can also while I'm making this video I'm in the process of updating over 40 48 from afforda manager so if you haven't played with the Fordham manager or Ford an analyzer I definitely recommend it I actually manage and maintain over a thousand different 40 games thanks to 40 managers so it makes it very easy for me between the clients i consultant once i'm directly responsible for but anyways so a basic explanation to how traffic shaping works in sick so back in 5-2 and all that jazz you would apply traffic shaping through app control or on the policy itself or you know things like that which is I'm super granular but it's really easy to forget where you place things and all that so in sick so they basically broke traffic well they did this previously but it continues to operate in this manner in sick so you have two sections right you have traffic shapers which you can think of as UTM sensors that you apply to your traffic shaping policy and the traffic shapers are the the things that give you the ability to you know set the parameters right like if I want to create a shared shaper which means all the IPS that that shape is applied to share whatever allocation you put in the shaper you know you just create a new shared and you apply it to your traffic shaping policy if you wanted to do a per IP shaper which means if you have a hundred different IPS on your network and you wanted them all guaranteed at least one Meg of the hundred Meg link that your office has you could do a per IP guaranteed hunter Magor you know max bandwidth of 100 Meg however you wanted to do it so the two main things for your shapers are shared shaper per IP shaper shared every IP that hits that shaper shares the allocated parameters of the setting per IP each IP individually is able to extend to the max of whatever that shaper says so let me switch on over here as you seen 40 y 561 e under policies and objects this has a very basic policy right it's just a dummy policy that says I'll allow all this is what you would use out of the box if you were really really paranoid about breaking things right so you come down to traffic shapers and as you can see I have none you can create new and you have your shared and per IP so on your shared you can say guaranteed bandwidth I at least want them to have a Meg you can say your maximum width I want them to have is 10 Meg and you would name it something appropriate that way you're very very clear we're not gonna worry about the SCP right now those things will be in the more advanced video so that'll give us some direction there so this is a 10 Meg hair trigger so all the IPS on this network will share these parameters meaning though they'll have a guaranteed 1 Meg between all of them and a max of 10 Meg between all of them which means they pretty much get guaranteed 100k each 1 Meg each etc create okay then you come down to your now remember I said to treat this like it's UTM sensor that you would apply to your policy because you'll actually define your policy right here under traffic shaping policy so by default it sets up an implicit one that is everything's medium priority for any out face interface etc so I come in here create new source if you have a group of users or a group of IPs you can set that here so for instance if anything on the tin da-da-da-da-da-da-da slash eight going to anything related to update that Microsoft comm or just that well actually let's do all during work hours oh I don't have a schedule okay let's skip scheduled for now scheduled let's you make it only applied during certain times of the day but the only schedule I have on this box is the always so it's kind of moving point I don't really care about services so I'll say all of them but then you can say application category is it doing updates is it doing social media peer-to-peer and you know you don't want folks doing pretty up here and new can your internet connection when you're sitting there trying to do standard work stuff right so you can you can get very granular here down to the actual application that's being used the category of the URL very very fluid here so for starters we'll say all services all destinations from my internal network if it is a update now what this little alert right here is telling us is this won't actually be put in use because I don't have application control enabled on that dummy policy I created but for the sake of demonstration it'll be fine and you say outgoing interface well that's my outside interface because that's my zone that has all of my Wayne members in it and it's a shared shaper so I'll use ten Meg you would throw your per IP in here or your reverse in here so this is very very very simple and just like your firewall this will read it top down left to right like you do um so basically what this says is any of my ten da da da o space going anywhere via the outside interface use the 10 Meg's shared if it's you know where are you if it's an update category by default it takes off a lot of the things so I had to add this that's my bed so anything from the 10 space going anywhere via the outside address interface or the outside interface use the 10 Meg shared if it's in the application category of update this is useful in situation that's where you want to build perform updates during the day but you don't necessarily want to nuke your users ability to surf the Internet perform work functions things like that and last thing we want to do is cause work outages so yeah like I said very very basic breakdown of how it works create your shaper assign the parameters to it that you wish name it appropriately so you can keep things organized standardizations key and then you create your actual policy and apply that shaper to the policy based on your source or destination and the destination interfaces you can do this you don't have to do this just from inside the outside you can do outside the inside or outside of dmz so if you have a a web server that's providing you know public downloads for some reason you throttle that to keep it from overwhelming your link also you know if you know you have a slower link between two devices let's say you have a switch somewhere that's only 100 Meg you can perform shaping here to make sure that you don't over run that switch to keep mission-critical stuff operational so but that's it if you have any questions let me know I'm going to come up with some an agenda for a more in-depth video and then from there we can explain things like the SCP and just how granular you can get so but until then ask any questions below and I'll be more than happy to answer Thanks

Info

Channel: Fortinet Guru

Views: 33,392

Rating: undefined out of 5

Keywords: fortigate, traffic shaping

Id: 8acCOgIezR4

Channel Id: undefined

Length: 9min 14sec (554 seconds)

Published: Sat Jan 12 2019