FortiGate: Basic Traffic Shaping Of YouTube (FortiOS 6.4.0)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
if you have been managing firewalls for at least year chances already run into a situation especially in smaller to medium sized organizations where you've been asked to either traffic shave or limit or quality of service either users or specific applications and destinations and that's exactly what this video is going to discuss so let's dive right in and let's see the basics on a forty gate [Music] alright guys so here's the scenario for this particular video we work for a small organization that only has a 20 Meg internet connection they have found that their Internet is becoming slow at times and after looking at the for DES analyzer they have noticed that there is a great deal of web traffic going to YouTube during the times that that the slowness is being experienced so they're looking to their firewall engineer to use traffic shaping to not block YouTube because they don't want to completely block it it's considered a morale booster for their organization so instead they wish to just slow it down and make sure it doesn't consume too much bandwidth and for the sake of this video they wish to limit YouTube usage to 5 megabits at any given time now when you're doing traffic shaping on a FortiGate there's a few things you need to remember one there's multiple types of shavers there's a shared shaper and then there is a per IP shaver a shared shaper means any any group of IPS that hit the particular policy that does the shaping they all fall into that category they share that pot if you will on a per IP shaper if you have a 5 mega limit on YouTube that's per IP that hits that policy so 192.168.1.2 and 1.3 each get five Meg it's not 5 Meg combined that they have to split so just remember that when you dive in right the next thing you have to look at is not only do you have shared shapers and pry Pichet purrs but you have regular shapers and reverse shapers now you don't actually have to edit anything on the reverse shaping that's just how it's applied to the policy so for instance in our situation we want to limit YouTube usage to five megabits max right and we want to give it a lower priority so how would we go about doing that well we would configure our shaper set it to low tell it to have a max bandwidth of 5 megabits or 5000 kilobits per second and then we're actually going to go in and create our traffic shaper so the traffic shaping has to be done in a very specific way for it to work the way we intended traffic shaper policy applies the traffic shaper based on a direction that policy is pointing so if you're going from land to win that means traffic going in that direction it's what's going to be shaped which means we need to apply a reverse shaper to that same policy to prevent the downloads from taking up too much space as well so we're going to jump into our four to Wi-Fi now apply the policy set and be able to explain this as we go we're looking cleanly at our firewall right take note that in order to do traffic control or traffic shaping or anything of that nature whether it's traffic policing traffic shaping queuing or anything you have to have policy if you're going to do it based on application for starters you have to have an a an actual policy that is viewing the application data if you don't have a policy that's using application and that's not the policy that users are hitting to go out to set resources the shapers not going to do you a whole lot of good so we have our firewall policy here you would be surprised at how many environments I run into that have a single policy for outbound traffic just like this don't do this break it out based on source and destination so you have a good security posture needless to say this is how most environments are done so we have our policy here that says you know to our base level application control now we're going to dive into our traffic shapers here so we have to actually create the shaper that we want to use to limit YouTube to five megabits and as I mentioned there is shared shapers and there are per IP shapers we're going to do a shared shaper we want the group to be limited to five megabits total not five megabits each and we're going to call this YouTube shaper five Meg I like to keep my name is relatively straightforward so I know exactly what there related to this traffic priority we're going to make it low we do not care about this traffic as far as oh no they can't get to YouTube right now or it's not getting Q less than the proper manner we want it to be low priority we want our voice in our office and things like that to work well and we want it to have a maximum bandwidth of 5,000 kilobits per second and that's all we need to do here named our Shaffer give it a low priority and then give it the appropriate maximum bandwidth that we wish to do which we have a 20-megaton 25% of that throughput and click OK now our next step is to actually build the policy that's going to apply that shaper to it so we go down the traffic shaping policy and as you can see by default you have the one that assigns from any interface it applies a shaper of medium and everything is the same priority that's how it is out of the box so create new we're going to name this one YouTube we want to limit YouTube to all users going to all destinations obviously you can't keep up with you two as far as what content delivery networks they are Google spins up too many on a daily basis to actually keep that accurate so we do all sources to all destinations are executives aren't using YouTube there hardly and if ever in the office they're too busy you know business dealing and things like that so all sources to all destinations is who we want to apply this to and we want to do all services because you never know if a if an application is actually going to use the normal protocol services that you expect or if they might use something that the developer moved it to right and then our application we wish to apply this to YouTube now as you can see here I've created an application group titled YouTube that has all these guys in it and we'll just select that and click close take note if you don't have any level of deep packet inspection enabled the various pieces of YouTube if you only wanted the block uploading or only specific downloading or certain things like that you need the packet inspection actually see those functions within the website otherwise it'll just see it as YouTube in general so we're we're doing it for YouTube as a whole though so I just created that group for that now we need to actually apply our shaper our action is to apply the shaper and it's if the outgoing interface is outside now for our shared shaper that's the one where you know everybody's limited to five Meg total not each now as I mentioned a shared shaper goes in the direction of your traffic shaping policy and as you can see here we're going from any interface to the outside interface which means it'll traffic shape uploads and things like that as it stands now we need to now apply a reverse shaper to get the traffic that's coming in off of that policy as well and that right there those two options set on this particular policy will limit your your YouTube usage the 5x total across the entire organization and you click OK and you see it there so traffic shaping isn't overly complicated on a FortiGate you can get very granular with it in fact you can even use it based on web filter categories and things like that you can do more specific policy set our policy was all all you can knock it down to where all users except for executives get this applied to especially if you're using for the net single sign-on or something along those lines to help give you more level to give you a higher level of control based on the policy and who you wish to apply it to so hopefully this provides you with what you need to get started with traffic shaping if you have any questions specific to it please don't hesitate to comment below I love reading them I love responding to them and they help make the content that I provide here better as always if you like the video please do me a favor and hit a like button and then subscribe and hit that notify bill so you'll know when more content comes out we shoot for a video a day and our goal is to provide not only the hell but the why to networking as a whole configuring your fortinet hardware as a whole so that when you run into a situation where you actually have to troubleshoot you're not just a parent that was able to copy and paste some commands but you actually understand why it behaves that way as well you
Info
Channel: Fortinet Guru
Views: 14,131
Rating: undefined out of 5
Keywords: traffic shaping, fortigate traffic shaping, traffic shape youtube, fortios 6.4.0, fortigate reverse traffic shaping
Id: aajFqOdH3qk
Channel Id: undefined
Length: 9min 49sec (589 seconds)
Published: Sat May 09 2020
Related Videos
FortiGate: Application Control (FortiOS 6.4.0)
Fortinet Guru
25K
Fortigate - Traffic Shaping Fundamentals (QoS)
InfoSec for Humans
5.1K
FortiGate SSL VPN Configuration (FortiOS 6.4.0 Basic)
Fortinet Guru
73K
Central Source NAT (SNAT) and Destination NAT (DNAT/VIP)
Fortinet Guru
11K
My FortiGate SDWAN Configuration and Some Use Cases
Fortinet Guru
23K
FortiGate Cookbook - Traffic Shaping Limiting Bandwidth (5.6)
Fortinet
107K
The Proven Way to Increase Influence | CEO of Self-Publishing School | Chandler Bolt & Mike Acker
ADVANCE with Mike Acker
828
#4: FortiGate: Basic Config of the firewall | VLAN, WAN, DHCP, IPv4 Policies | My Home Network
KBTrainings
37K
Comprehensive Guide to pfSense 2.3 Part 9: Traffic Shaper
Mark Furneaux
61K
Making Air Print Work Between VLANs / Interfaces on FortiGate
Fortinet Guru
10K
The Fortinet Trade Up Program - Get Gear Cheaper!
Fortinet Guru
2.3K
Basic FortiGate Traffic Shaping Introduction
Fortinet Guru
22K
FortiGate to FortiGate IPSEC Configuration (FortiOS 6.4.0)
Fortinet Guru
26K
FortiGate: Simple WAN Fail-Over
Fortinet Guru
17K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.