FortiWAN Traffic Statistics for Tunnel Routing and IPSec

Traffic Statistics for Tunnel Routing and IPSec

Compare with general IP transmission, traffic transferred through FortiWAN’s Tunnel Routing or IPSec is charged extra on GRE/ESP encapsulation and decapsulation (See “Tunnel Routing” and “IPSec VPN”). In order to individually allocate bandwidth to applications encapsulated in GRE and ESP packets, Tunnel Routing and IPSEC are designed to be transparent to Bandwidth Management (See “Bandwidth Management”). Bandwidth Management shapes the traffic before packet encapsulation or after packet decapsulation. FortiWAN’s traffic statistics is associated with the operation of Bandwidth Management, which implies traffic of Tunnel Routing and IPSec is partially transparent to the statistics function. FortiWAN gives the traffic statistics in three ways: BM log, statistics on Web UI and FortiWAN Reports. Traffic statistics for Tunnel Routing and IPSec in the three ways are discussed as follows.

Traffic Statistics for Tunnel Routing and IPSec

BM logs

A BM log is actually a traffic statistics (inbound-pkts, inbound-bytes, outbound-pkts, outbound-bytes, total-pkts and total-bytes) in a time period for a traffic (source IP, destination IP, source port and destination port) that matches the Bandwidth Management filter (See Log format in “Log View”). Bandwidth Management treats the traffic equally no matter whether it is later transferred through Tunnel Routing and IPSec. The BM log tells nothing directly (through the source port and destination port fields) that a transmission is actually done by Tunnel Routing, IPSec or normal IP routing. You might be aware of a Tunnel Routing and IPSec transmission through the source IP and destination IP in the logs, if you those IP addresses are already predefined just for the Tunnel Routing and IPSec transmission. The only situation that you see the GRE or ESP indicated by source port and destination fields in a BM log is when the traffic comes from other VPN devices.

Statistics on Web UI

Pages Statistics > Traffic and Statistics > BM(See “Statistics > Traffic” and “Statistics > BM”) the traffic statistics by WAN links and defined Bandwidth Management classes, which tells nothing directly about Tunnel Routing and IPSec traffic. The way to identify the traffic that is transferred through Tunnel Routing or IPSec is to create a BM class and BM filter to classify the traffic by the source IP and destination IP that are defined in Tunnel Routing’s routing rules or IPSec’s Quick Mode selectors.

Page Statistics > Tunnel Traffic (See “Statistics > Tunnel Traffic”) is the only page reports the traffic statistics about Tunnel Routing. Although traffic statistics is reported by the defined Tunnel Routing groups, statistics of the individual application in the tunnel traffic is unavailable here.

Page Statistics > IPSec (See “Statistics > IPSec”) tells nothing about traffic statistics of IPSec, only IPSec connectivity states are reported here.

FortiWAN Reports

Different from BM logs, service of traffic that is transferred through Tunnel Routing is indicated as GRE in Reports (See “Reports > Bandwidth Usage > Services”). Individual service type of the original packets encapsulated by Tunnel Routing becomes invisible in Reports. The GRE traffic passing through FortiWAN from other VPN devices and the GRE traffic generated by FortiWAN Tunnel Routing will be counted into service GRE in page Reports > Bandwidth Usage > Services, which might be confusing. Drilling it down by Internal IP, Inclass or Outclass could figure it out. As for traffic transferred through IPSec, Reports counts the traffic by individual application (the original packets before/after be ESP encapsulated/decapsulated) rather than counting it into service ESP. FortiWAN IPSec is transparent to Reports statistics.

Here are a summary of discussion above.

Traffic transferred through IPSec Tunnel mode

  Original traffic ESP encapsulated

traffic

BM Control O X
BM log O X
Reports O X

Traffic transferred through Tunnel Routing or IPSec Transport mode

Traffic Statistics for Tunnel Routing and IPSec

  Original traffic GRE encapsulated

traffic

ESP encapsulated

traffic

BM Control O X X
BM log O X X
Reports X O X

We have a simple example to explain the difference between the statistics ways. Consider that user A generates

60MB FTP traffic and 80MB HTTP traffic and transfer them through normal IP routing, user B generates 40MB FTP traffic and 20MB HTTP traffic and transfer them through Tunnel Routing (through one tunnel group). All the traffic is controlled by Bandwidth Management, thus there will be four BM logs indicating:

  • user A (source IP) generates FTP traffic (source or destination port) in 60MB l user B (source IP) generates FTP traffic (source or destination port) in 40MB l user A (source IP) generates HTTP traffic (source or destination port) in 80MB l user B (source IP) generates HTTP traffic (source or destination port) in 20MB

From the BM logs, we have no idea which one is transferred through Tunnel Routing. The thing we know from the logs is 100MB FTP traffic and 100MB HTTP traffic passed through FortiWAN, and they are 200MB in total.

In page Statistics > Tunnel Traffic, we see 60MB tunnel traffic (parts of the 200MB) belongs to the tunnel group. However, it tells nothing about the statistics for the individual services (FTP and HTTP) in the tunnel traffic.

As for Reports > Service, statistics by service is displayed as follows: l FTP = 60MB l HTTP = 80MB l GRE = 60MB

  • Total = 200MB

All the tunnel traffic (FTP and HTTP generated by user B) is classified into GRE, and we have no idea about what the original services are in it. What we can do is drilling it down by Internal IP to identify the generator user B, or drilling it down by Inclass and Outclass to identify the individual service if the corresponding BM classes are welldefined.

Considering the IPSec transmission with the same example, user B generates the same traffic but transfer them through IPSec. We will have BM logs the same as what we discussed above, and have no idea which service is transferred through IPSec. In page Report > Service, the traffic is counted as follows: l FTP = 100MB l HTTP = 100MB l Total = 200MB

Drilling it down by Internal IP can identify the generators user A and user B, but it tells nothing about service ESP.

 

This entry was posted in Administration Guides, FortiWAN on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.