   

Fortinet GURU About Me Where Fortinet Is Messing Up Fortinet GURU Forums Consulting Services FortinetGURU @ YouTube

REPLY
Traffic shaping Search … 
T raffic shaping

Interface bandwidth limit

You can limit interface bandwidth for arriving and departing traffic. In some cases, the traffic received on an
LATEST VIDEOS
interfaces could exceed the maximum bandwidth limit defined in the security policy. Rather than waste
processing power on packets that will get dropped later in the process, you can configure FortiGate to
preemptively drop excess packets when they’re received at the source interface. A similar command is
available to the outgoing interface.

The following diagram shows how excess packets going from LAN to WAN1 can be intercepted and dropped
at the source interface.

T o config ure an interface bandwidth limit on the FortiOS GUI:

1. Go to Interface. FortiOS 7 Features I am Excited About

2. Click interface port1, and click Edit on top menu bar.
3. Go to the Traffic Shaping section, and set the following options:
200. Enable Inbound Bandwidth and type 200. The default bandwidth unit is kbps.
201. Enable Outbound Bandwidth and type 400.

The default bandwidth unit is kbps.

4. Click OK.

T o config ure an interface bandwidth limit on the FortiOS CLI:

FortiOS 7 Features I am Excited About
1. On the FortiGate, configure the interface bandwidth limit:

config system interface edit “port1” …..

set inbandwidth 200 set outbandwidth 400 ….. next

end

T oS-based traffic prioritization

This traffic prioritization method puts packets into the following queues based on its Type of Service (ToS)
value: l High l Medium l Low One Way VOIP Audio Quick Fix

ToS-based traffic prioritization cannot be used to apply bandwidth limits and guarantees, but it can be used
to prioritize traffic at per-packet levels.

You can use the following command to configure the default system-wide level of priority:

config system global set traffic-priority-level {high | low | medium}

end

You can also prioritize packets according to the ToS bit value in the packet’s IP header by using the following
SD-WAN and Use Cases
command: config system tos-based-priority edit <id_int> set tos [0-15]

set priority {high | low | medium}

next

end

Example

The following configuration shows that packets with ToS bit values of 10 are prioritized as medium and
packets with ToS bit values of 20 are prioritized as high. All the other traffic is prioritized as low. Importing Policy to FortiManag er
config system global set traffic-priority-level low end

config system tos-based-priority edit 1 set tos 10 set priority medium

next edit 2 set tos 20 set priority high

next

end

Shared traffic shaper Importing Policy to FortiManag er

Shared traffic shaper is used in a firewall shaping policy to indicate the priority and guaranteed and maximum
bandwidth for a specified type of traffic use.

The maximum bandwidth indicates the largest amount of traffic allowed when using the policy. You can set
the maximum bandwidth to a value between 1 and 16776000 Kbps. The GUI displays an error if any value
outside this range is used. If you want to allow unlimited bandwidth, use the CLI to enter a value of 0.

The guaranteed bandwidth ensures that there is a consistent reserved bandwidth available. When setting the
guaranteed bandwidth, ensure that the value is significantly less than the interface’s bandwidth capacity.
Otherwise, the interface will allow very little or no other traffic to pass through, potentially causing unwanted Importing Policy to FortiManag er
latency.

In a shared traffic shaper, the administrator can prioritize certain traffic as high, medium, or low. FortiOS
provides bandwidth to low priority connections only when high priority connections do not need the
bandwidth. For example, you should assign a high traffic priority to a policy for connecting a secure web
server that needs to support e-commerce traffic. You should assign less important services a low priority.

When you configure a shared traffic shaper, you can apply bandwidth shaping per policy or for all policies. By
default, a shared traffic shaper applies traffic shaping evenly to all policies that use the shared traffic shaper.

When configuring a per-policy traffic shaper, FortiOS applies the traffic shaping rules defined for each security Don't Use FortiOS 6.2.4
policy individually. For example, if a per-policy traffic shaper is configured with a maximum bandwidth of 1000
Kbps, any security policies that have that traffic shaper enabled get 1000 Kbps of bandwidth each.

If a traffic shaper for all policies is configured with a maximum bandwidth of 1000 Kbps, all policies share the
1000 Kbps on a first-come, first-served basis.

The configuration is as follows:

config firewall shaper traffic-shaper edit “traffic_shaper_name” set per-policy enable

next FortiGate Application Control

end

The shared traffic shaper selected in the traffic shaping policy affects traffic in the direction defined in the
policy. For example, if the source port is LAN and the destination is WAN1, the traffic shaping affects the flow
in this direction only, affecting the outbound traffic’s upload speed. You can define the traffic shaper for the
policy in the opposite direction (reverse shaper) to affect the inbound traffic’s download speed. In this
example, that would be from WAN1 to LAN.

The following example shows how to apply different speeds to different types of service. The example
configures two shared traffic shapers to use in two firewall shaping policies. One policy guarantees a speed Free Fortinet T raining !
of 10 Mbps for VoIP traffic.

The other policy guarantees a speed of 1 Mbps for other traffic. In the example, FortiOS communicates with
a PC using port10 and the Internet using port9.

T o config ure shared traffic shapers in the FortiOS GUI:

STRAIGHT FROM THE GURU
1. Create a firewall policy:
Before and Afters
1. Go to Policy & Objects > IPv4 Policy. Click Create New.
Businesss Suggestions
2. In the Name field, enter Internet Access.
Buy Fortinet Hardware
3. From the Incoming Interface dropdown list, select port10.
Consulting Stories
4. From the Outgoing Interface dropdown list, select port9.
Fortinet GURU
5. For the Source and Destination fields, select all.
FortinetGURU Videos
6. From the Schedule dropdown list, select always.
How To
7. For the Service field, select ALL.
Network Photos
8. Click OK.
Personal Network
2. Create the shared traffic shapers:
Questions
1. Go to Policy & Objects > Traffic Shapers. Click Create New.
Tips and Tricks
2. In the Name field, enter 10Mbps. This shaper is for VoIP traffic.
3. From the Traffic Priority dropdown list, select High.
4. Enable Max Bandwidth and enter 20000. This equates to 20 Mbps.
5. Enable Guaranteed Bandwidth and enter 10000. This equates to 10 Mbps.
6. Click OK. FORTINET DOCUMENTATION
7. Repeat the process above to create another traffic shaper named 1Mbps. Set the Traffic Priority
to Low, the Max Bandwidth and Guaranteed Bandwidth to 10000. Administration Guides
3. Create a firewall shaping policy: FortiAnalyzer
1. Go to Policy & Objects > Traffic Shaping Policy. Click Create New. FortiAP
2. In the Name field, enter VoIP_10Mbps_High. This policy is for VoIP traffic. FortiAuthenticator
3. For the Source and Destination fields, select all. FortiBalancer
4. For the Service field, select all VoIP services. FortiBridge
5. For the Outgoing Interface field, select port9. FortiCache
6. Enable Shared shaper. Select 10Mbps from the dropdown list. FortiCamera
7. Enable Reverse shaper. Select 10Mbps from the dropdown list. FortiCarrier
8. Click OK. FortiClient
9. Repeat the process above to create a firewall shaping policy named Other_1Mbps_Low for other FortiCloud
traffic. Set the Source and Destination to all, Service to ALL, Outgoing Interface to port9, and FortiConverter
Shared shaper and Reverse shaper to 1Mbps. FortiCore
FortiExplorer
T o config ure shared traffic shapers using the FortiOS CLI: FortiExtender
FortiGate
1. Create a firewall policy:
FortiGuard
config firewall policy edit 1 set name “Internet Access” set srcintf “port10” set dstintf “port9” set srcaddr “all” FortiGuard News
set dstaddr “all” set action accept FortiHypervisor
FortiMail
set schedule “always” set service “ALL” set fsso disable set nat enable FortiManager
Fortinet
next
Fortinet Datasheets
end Fortinet Videos
FortiOS
2. Create the shared traffic shapers: FortiOS 5.2 Best Practices
config firewall shaper traffic-shaper edit “10Mbps” set guaranteed-bandwidth 10000 set maximum-bandwidth FortiOS 5.4 Best Practices
20000 FortiOS 5.4 Handbook
FortiOS 5.6
next edit “1Mbps” set guaranteed-bandwidth 1000 set maximum-bandwidth 10000 set priority low FortiPlanner
FortiPresence
next
FortiRecorder
end FortiSandbox
FortiSIEM
3. Create a firewall shaping policy: FortiSwitch
FortiToken
config firewall shaping-policy edit 1 set name “VOIP_10Mbps_High”
FortiView
set service “H323” “IRC” “MS-SQL” “MYSQL” “RTSP” “SCCP” “SIP” “SIP-MSNmessenger” set dstintf “port9” set Fortivoice
traffic-shaper “10Mbps” set traffic-shaper-reverse “10Mbps” FortiWAN
FortiWeb
set srcaddr “all” set dstaddr “all” Product Info
next edit 2 set name “Other_1Mbps_Low” set service “ALL” set dstintf “port9” set traffic-shaper “1Mbps” set Release Notes
traffic-shaper-reverse “1Mbps” Third Party Reports
Vulnerabilities
set srcaddr “all” set dstaddr “all”

next

end IMPORTANT LINKS

T o troubleshoot shared traffic shapers: FortinetGuru @ Youtube
1. To check if specific traffic is attached to the correct traffic shaper, run the diagnose firewall iprope list Buy Fortinet Hardware
100015 command. The example output shows the traffic attached to the 10Mbps and 1Mbps shapers: Fortinet GURU Forums
Fortinet Cookbook
# diagnose firewall iprope list 100015 Office of The CISO

policy index=1 uuid_idx=0 action=accept flag (0):

shapers: orig=10Mbps(2/1280000/2560000) cos_fwd=0 cos_rev=0 group=00100015 av=00000000

au=00000000 split=00000000 host=4 chk_client_info=0x0 app_list=0 ips_view=0 misc=0 dd_type=0 dd_mode=0 RECENT POSTS
zone(1): 0 -> zone(1): 38
What Features Do You Want In FortiOS?
source(1): 0.0.0.0-255.255.255.255, uuid_idx=0, dest(1): 0.0.0.0-255.255.255.255, uuid_idx=0, service(15):
FortiOS 7 Features I am Excited About
[6:0x0:0/(1,65535)->(1720,1720)] helper:auto
FortiOS 6.6 Brings LTS and Mike Got Fat!
[6:0x0:0/(1,65535)->(1503,1503)] helper:auto
Collectors and Analyzers – FortiAnalyzer –
[17:0x0:0/(1,65535)->(1719,1719)] helper:auto FortiOS 6.2.3

[6:0x0:0/(1,65535)->(6660,6669)] helper:auto High Availability – FortiAnalyzer – FortiOS 6.2.3

[6:0x0:0/(1,65535)->(1433,1433)] helper:auto Two-factor authentication – FortiAnalyzer –

FortiOS 6.2.3
[6:0x0:0/(1,65535)->(1434,1434)] helper:auto
Global Admin – GUI Language – Idle Timeout –
[6:0x0:0/(1,65535)->(3306,3306)] helper:auto FortiAnalyzer – FortiOS 6.2.3

[6:0x0:0/(1,65535)->(554,554)] helper:auto Global Admin – Password Policy – FortiAnalyzer

– FortiOS 6.2.3
[6:0x0:0/(1,65535)->(7070,7070)] helper:auto
Global administration settings – FortiAnalyzer –
[6:0x0:0/(1,65535)->(8554,8554)] helper:auto FortiOS 6.2.3

[17:0x0:0/(1,65535)->(554,554)] helper:auto SAML admin authentication – FortiAnalyzer –

FortiOS 6.2.3
[6:0x0:0/(1,65535)->(2000,2000)] helper:auto

[6:0x0:0/(1,65535)->(5060,5060)] helper:auto

[17:0x0:0/(1,65535)->(5060,5060)] helper:auto [6:0x0:0/(1,65535)->(1863,1863)] helper:auto

policy index=2 uuid_idx=0 action=accept flag (0):

shapers: orig=1Mbps(4/128000/1280000) cos_fwd=0 cos_rev=0 group=00100015 av=00000000 au=00000000

split=00000000 host=4 chk_client_info=0x0 app_list=0 ips_view=0 misc=0 dd_type=0 dd_mode=0 zone(1): 0 ->
zone(1): 38

source(1): 0.0.0.0-255.255.255.255, uuid_idx=0, dest(1): 0.0.0.0-255.255.255.255, uuid_idx=0, service(1):

[0:0x0:0/(0,0)->(0,0)] helper:auto

2. To check if the correct traffic shaper is applied to the session, run the diagnose sys session list
command. The example output shows that the 1Mbps shaper is applied to the session:

# dia sys session list

session info: proto=6 proto_state=01 duration=11 expire=3599 timeout=3600 flags=00000000

sockflag=00000000 sockport=0 av_idx=0 use=5

origin-shaper=1Mbps prio=4 guarantee 128000Bps max 1280000Bps traffic 1050Bps drops 0B reply-shaper=
per_ip_shaper=

class_id=0 shaping_policy_id=2 ha_id=0 policy_dir=0 tunnel=/ helper=ftp vlan_cos=0/255 state=may_dirty npu

npd os mif route_preserve

statistic(bytes/packets/allow_err): org=868/15/1 reply=752/10/1 tuples=2

tx speed(Bps/kbps): 76/0 rx speed(Bps/kbps): 66/0 orgin->sink: org pre->post, reply pre->post dev=39->38/38-
>39 gwy=172.16.200.55/0.0.0.0 hook=post dir=org act=snat 10.1.100.11:58241-
>172.16.200.55:21(172.16.200.1:58241) hook=pre dir=reply act=dnat 172.16.200.55:21-
>172.16.200.1:58241(10.1.100.11:58241) pos/(before,after) 0/(0,0), 0/(0,0) misc=0 policy_id=1 auth_info=0
chk_client_info=0 vd=4 serial=0003255f tos=ff/ff app_list=0 app=0 url_cat=0 rpdb_link_id = 00000000 dd_type=0
dd_mode=0 npu_state=0x100000

npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000

vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0 no_ofld_reason: offload-

denied helper total session 1

3. To check statuses of shared traffic shapers, run the diagnose firewall shaper traffic-shaper list
command. The output should resemble the following: # dia firewall shaper traffic-shaper list

name 10Mbps maximum-bandwidth 2500 KB/sec guaranteed-bandwidth 1250 KB/sec current-bandwidth 0

B/sec priority 2 tos ff packets dropped 0 bytes dropped 0

name 1Mbps maximum-bandwidth 1250 KB/sec guaranteed-bandwidth 125 KB/sec current-bandwidth 0

B/sec priority 4 tos ff packets dropped 0 bytes dropped 0

Per-IP traffic shaper

With per-IP traffic shaping, you can limit each IP address’s behavior to avoid a situation where one user uses
all of the available bandwidth. In addition to controlling the maximum bandwidth used per IP address, you can
also define the maximum number of concurrent sessions for an IP address. For example, if you apply a per-
IP shaper of 1 Mbps to your entire network, FortiOS allocates each user/IP address 1 Mbps of bandwidth.
Even if the network consists of a single user, FortiOS allocates them 1 Mbps. If there are ten users, each user
gets 1 Mbps of bandwidth, totaling 10 Mbps of outgoing traffic.

For shared shapers, all users share the set guaranteed and maximum bandwidths. For example, if you set a
shared shaper for all PCs using an FTP service to 10 Mbps, all users uploading to the FTP server share the 10
Mbps.

Shared shapers affect upload speed. If you want to limit the download speed from the FTP server in the
example, you must configure the shared shaper as a reverse shaper. Per-IP shapers apply the speed limit on
both upload and download operations.

The following example shows how to apply a per-IP shaper to a traffic shaping policy. This shaper assigns
each user a maximum bandwidth of 1 Mbps and allows each user to have a maximum of ten concurrent
connections to the FTP server. In the example, FortiOS communicates with users using port10 and the FTP
server using port9.

T o config ure a per-IP shaper in the FortiOS GUI:

1. Create a firewall policy:

1. Go to Policy & Objects > IPv4 Policy. Click Create New.
2. In the Name field, enter FTP Access.
3. From the Incoming Interface dropdown list, select port10.
4. From the Outgoing Interface dropdown list, select port9.
5. For the Source and Destination fields, select all and FTP_Server, respectively.
6. From the Schedule dropdown list, select always.
7. For the Service field, select ALL.
8. Click OK.
2. Create the per-IP traffic shaper:
3. Go to Policy & Objects > Traffic Shapers. Click Create New.
4. For Type, select Per-IP.
5. In the Name field, enter FTP_Max_1M. This shaper is for VoIP traffic.
6. Enable Max Bandwidth and enter 1000. This equates to 1 Mbps.
7. Enable Max Concurrent Connections and enter 10. This means that each user can have up to ten
concurrent connections to the FTP server.
8. Click OK.
9. Create a firewall shaping policy:
10. Go to Policy & Objects > Traffic Shaping Policy. Click Create New.
11. In the Name field, enter FTP speed 1M.
12. For the Source fields, select the users that need to access the FTP server.
13. For the Destination field, select FTP_Server.
14. For the Service field, select ALL.
15. For the Outgoing Interface field, select port9.
16. Enable Per-IP shaper. Select FTP_Max_1M from the dropdown list.
17. Click OK.

T o config ure a per-IP traffic shaper using the FortiOS CLI:

1. Create a firewall policy:

config firewall policy edit 1 set name “FTP Access” set srcintf “port10” set dstintf “port9” set srcaddr “all” set
dstaddr “FTP_Server” set action accept set schedule “always” set service “ALL” set fsso disable set nat enable

next

end

2. Create the per-IP traffic shaper:

config firewall shaper per-ip-shaper edit “FTP_Max_1M” set max-bandwidth 1000 set max-concurrent-session
10

next

end

3. Create a firewall shaping policy:

config firewall shaping-policy edit 1 set name “FTP speed 1M” set service “ALL” set dstintf “port9”

set per-ip-shaper “FTP_Max_1M” set srcaddr “PC1” “WinPC” “PC2” set dstaddr “FTP_Server”

next

end

T o troubleshoot per-IP traffic shapers:

1. To check if specific traffic is attached to the correct traffic shaper, run the diagnose firewall iprope list
100015 command. The example output shows the traffic attached to the FTP_Max_1M shaper:

# diagnose firewall iprope list 100015

policy index=3 uuid_idx=0 action=accept flag (0): shapers: per-ip=FTP_Max_1M cos_fwd=0 cos_rev=0
group=00100015 av=00000000 au=00000000 split=00000000 host=2 chk_client_info=0x0 app_list=0
ips_view=0 misc=0 dd_type=0 dd_mode=0 zone(1): 0 -> zone(1): 38

source(3): 10.1.100.11-10.1.100.11, uuid_idx=30, 10.1.100.143-10.1.100.143, uuid_idx=32,

10.1.100.22-10.1.100.22, uuid_idx=31, dest(1): 172.16.200.55-172.16.200.55, uuid_idx=89, service(1):

[0:0x0:0/(0,65535)->(0,65535)] helper:auto

2. To check if the correct traffic shaper is applied to the session, run the diagnose sys session list
command. The example output shows that the FTP_Max_1M shaper is applied to the session:

# dia sys session list

session info: proto=6 proto_state=01 duration=36 expire=3567 timeout=3600 flags=00000000

sockflag=00000000 sockport=0 av_idx=0 use=4

origin-shaper= reply-shaper= per_ip_shaper=FTP_Max_1M

class_id=0 shaping_policy_id=3 ha_id=0 policy_dir=0 tunnel=/ helper=ftp vlan_cos=0/255 state=may_dirty per_ip

npu npd mif route_preserve

statistic(bytes/packets/allow_err): org=506/9/1 reply=416/6/1 tuples=2

tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0 orgin->sink: org pre->post, reply pre->post dev=39->38/38-
>39 gwy=172.16.200.55/0.0.0.0 hook=post dir=org act=snat 10.1.100.11:58275-
>172.16.200.55:21(172.16.200.1:58275) hook=pre dir=reply act=dnat 172.16.200.55:21-
>172.16.200.1:58275(10.1.100.11:58275) pos/(before,after) 0/(0,0), 0/(0,0) misc=0 policy_id=1 auth_info=0
chk_client_info=0 vd=2 serial=0000211a tos=ff/ff app_list=0 app=0 url_cat=0 rpdb_link_id = 00000000
dd_type=0 dd_mode=0 npu_state=0x100000

npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000

vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0 no_ofld_reason: offload-

denied helper

3. To check statuses of per-IP traffic shapers, run the diagnose firewall shaper per-ip-shaper list
command. The output should resemble the following: # diagnose firewall shaper per-ip-shaper list

name FTP_Max_1M maximum-bandwidth 125 KB/sec maximum-concurrent-session 10

tos ff/ff packets dropped 0 bytes dropped 0 addr=10.1.100.11 status: bps=0 ses=3

T ype of Service-based prioritization and policy-based traffic shaping

Priority queues

After packet acceptance, FortiOS classifies traffic and may apply Quality of Service techniques such as
prioritization and traffic shaping. Traffic shaping consists of a mixture of traffic policing to enforce bandwidth
limits and priority queue adjustment to assist packets in achieving the guaranteed rate.

If you have configured prioritization, FortiOS prioritizes egressing packets by distributing them among first in
first out queues associated with each possible priority number. Each physical interface has six priority queues.
Virtual interfaces use the priority queues of the physical interface to which they are bound.

Each physical interface’s six queues are queue 0 to queue 5, where queue 0 is the highest priority queue.
However, you may observe that your traffic uses only a subset of those six queues. For example, some
traffic may always use a certain queue number. Queuing may also vary by the packet rate or mixture of
services. Some queue numbers may only be used by through traffic for which you have configured traffic
shaping in the security policy that applies to that traffic session.

Administrative access traffic always uses queue 0.

Traffic matching firewall policies without traffic shaping may use queue 0, queue 1, or queue 2. The queue is
selected based on the priority value you have configured for packets with that Type of Service (ToS) bit value,
if you have configured ToS-based priorities.

Traffic matching firewall shaping policies with traffic shaper enabled may use any queue. The queue is
selected based on whether the packet rate is currently below the guaranteed bandwidth (queue 0), or above
the guaranteed bandwidth. Packets at rates greater than the maximum bandwidth limit are dropped.

Priority types

Packets can be assigned a priority in one of three types:

On entering ingress – for packets flowing through the firewall. l Upon generation – for packets
generated by the firewall (including packets generated due to AV proxying).
On passing through a firewall policy – for packets passing through a firewall policy (firewall shaping
policy) that has a traffic shaper defined.

T oS priority

The first and second types, ingress priority and priority for generated packets, are controlled via two different
CLI settings, as shown below:

config system global set traffic-priority-level {high|medium|low}

end

config system tos-based-priority edit 1 set tos [0-15] -> type of service bit in the IP datagram header with a
value between 0 and 15

set priority (high|medium|low)-> priority of this type of service

next

end

Each priority level is mapped to a value as follows:

T oS priority Value

High 0

Medium 1

Low 2

Firewall shaping policy priority

In a firewall shaping policy, you can enable traffic shaping. In the shared traffic shaper, you can set the
firewall priority to high, medium, or low, as shown below:

config firewall shaper traffic-shaper edit “1” set priority (high|medium|low)

next

end

Since the priority in a traffic shaper is set to high by default, you must set some traffic at a lower priority to
see results. Each priority level is mapped to a value as follows:

Firewall policy priority Value

High (default) 1

Medium 2

Low 3

Combination of two priority types

To combine the two priority types, the global or ingress ToS-based priority value is combined with the firewall
policy priority value:

ToS priority (0, 1, 2) + policy priority (1, 2, 3) = total priority (queue number)

Consider the following scenarios:

If the current packet rate is less than the guaranteed bandwidth, packets use priority queue 0. Packet
priority is 0. l If the current packet rate exceeds the maximum bandwidth, excess packets are dropped.
If the current packet rate is greater than the guaranteed bandwidth but less than the maximum
bandwidth, FortiOS assigns a priority queue by adding the ToS-based priority and the firewall priority.
For example, if you have enabled traffic shaping in the security policy and the security policy’s traffic
priority is low (value 3), and the priority normally applied to packets with that ToS bit is medium (value
1), the packets have a total packet priority of 4, and use priority queue 4.

Interface-based traffic shaping profile

Priority Queues

After packet acceptance, FortiGate classifies traffic and might apply Quality of Service (QoS) techniques, such
as prioritization and traffic shaping. Traffic shaping consists of a mixture of traffic policing to enforce
bandwidth limits and priority queue adjustment to assist packets in achieving the guaranteed rate.

If you have configured prioritization, the FortiGate unit prioritizes egressing packets by distributing them
among FIFO (first in, first out) queues associated with each possible priority number. Each physical interface
has six priority queues. Virtual interfaces use the priority queues of the physical interface to which they are
bound.

Each physical interface’s six queues are queue 0 to queue 5, where queue 0 is the highest priority queue.
However, you might observe that your traffic uses only a subset of those six queues. For example, some
traffic might always use a certain queue number. Queuing may also vary by the packet rate or mixture of
services. Some queue numbers might only be used by through traffic for which you have configured traffic
shaping in the security policy that applies to that traffic session.

Administrative access traffic will always use queue 0.

Traffic matching firewall policies without traffic shaping may use queue 0, queue 1, or queue 2. The
queue is selected based on the priority value you have configured for packets with that ToS (Type of
Service) bit value, if you have configured ToS-based priorities.
Traffic matching firewall shaping policy with traffic shaper enabled may use any queue. The queue is
selected based on whether the packet rate is currently below the guaranteed bandwidth (queue 0), or
above the guaranteed bandwidth. Packets at rates greater than the maximum bandwidth limit are
dropped.
For Example, if the global ToS-based-priority is low (3) and the priority in a traffic-shaper is medium (2),
when a packet flows through a policy that refers to the shaper, the packet will be assigned the priority
defined by the shaper. In this case, medium (2).

T ypes of priority

Packets can be assigned a priority in one of three types:

1. On entering ingress – for packets flowing through the firewall.

2. Upon generation – for packets generated by the firewall (including packets generated due to AV
proxying).
3. On passing through a firewall policy – for packets passing through a firewall policy(firewall shaping
policy) that has a traffic shaper defined.

T ype of Service (T oS) priority

The first and second types (ingress priority and priority for generated packets) are controlled via two different
CLI settings:

config system global set traffic-priority-level {high|medium|low}

end And

config system tos-based-priority edit 1 set tos [0-15] -> type of service bit in the IP datagram header with a
value between 0 and 15

set priority (high|medium|low)-> priority of this type of service

next

end

Each priority level is mapped to a value like following:

T oS Priority Value

High 0

Medium 1

Low 2

Firewall shaping policy priority

In a firewall shaping policy, you can enable traffic shaping. In the shared traffic shaper, you can set the
firewall priority to high, medium, or low:

config firewall shaper traffic-shaper edit “1” set priority (high|medium|low)

next

end

Since priority in traffic shaper are set to “high” priority by default, it is necessary to set some traffic at a lower
priority to get results. Each priority level is mapped to a value like following:

Firewall Policy Priority Value

High (default) 1

Medium 2

Low 3

Combination priority

The global or ingress ToS-based priority value is combined with the firewall policy priority value:

Tos priority (0, 1, 2) + policy priority (1, 2, 3) = total priority (queue number) Let’s take a look at some
scenarios:

Case 1: If the current packet rate is less than the guaranteed bandwidth, packets use priority queue 0. In other
words, packet priority = 0.

Case 2:If the current packet rate exceeds the maximum bandwidth, excess packets are dropped.

Case 3:If the current packet rate is greater than the guaranteed bandwidth, but less than maximum
bandwidth, the FortiGate unit assigns a priority queue by adding the ToS-based priority and the firewall
priority.

For example, if you have enabled Traffic Shaping in the security policy, and the security policy’s Traffic Priority
is Low (value 3), and the priority normally applied to packets with that ToS bit is medium (value 1), then
packets have a total packet priority of 4, and use priority queue 4.

Share this:

    
Having trouble config uring your Fortinet hardware or have some questions you need answered?
Check Out T he Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get
some consulting from Fortinet GURU!

Don't Forg et T o visit the YouT ube Channel for the latest Fortinet T raining Videos and Question /
Answer sessions!
- FortinetGuru YouT ube Channel
- FortiSwitch T raining Videos

 October 9, 2019  Administration Guides , FortiGate , FortiOS 6.2  1 Comment

Mike (2844 Posts)

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of
vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or
configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread
information while providing the option of quality consulting services at a much lower price than Fortinet
Professional Services.
View all author’s posts 

 Multicast processing and basic Multicast policy Security Profiles – AntiVirus – FortiOS 6.2 

One response to “Traffic shaping”

1. October 23, 2019 at 10:35 PM

Good topic, thanks
Aung
Htun
LEAVE
Oo A REPLY
says:
Your comment *

Your Name *

Your Email *

Your Website

Save my name, email, and website in this browser for the next time I comment.

Notify me of follow-up comments by email.

Notify me of new posts by email.

POST COMMENT

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Fortinet GURU is not owned by or affiliated with Fortinet.

| IT Services are provided by Plaric IT, LLC | Subscribe To The YouTube Channel!.
If you are in Montgomery Alabama there is always someone to talk to in relation to Montg omery Psychiatry.