Chapter 17 Traffic Shaping for FortiOS 5.0 : The purpose of traffic shaping : Bandwidth guarantee, limit, and priority interactions : Through traffic
  
Through traffic
For traffic passing through the FortiGate unit, the method a FortiGate unit uses to determine the priority queue varies by whether you have enabled Traffic Shaping. Packets may or may not use a priority queue directly or indirectly derived from the type of service (ToS) bit — sometimes used instead with differentiated services — in the packet’s IP header.
If Traffic Shaping is not enabled in the security policy, the FortiGate unit neither limits nor guarantees bandwidth, and traffic for that session uses the priority queue determined directly by matching the ToS bit in its header with your configured values:
config system global
set tos-based-priority {high | low | medium}
end
or, if you have configured a priority specifically for that TOS bit value:
config system tos-based-priority
edit <id_int>
set tos [0-15]
set priority {high | low | medium}
next
end
where tos is the value of the ToS bit in the packet’s IP header, and high has a priority value of 0 and low is 2. Priority values configured in the second location will override the global ToS-based priority. In other words:
packet priority = ToS-based priority
For example, you might specify that packets with a ToS bit value of 2 should use queue 0, the highest priority queue:
config system tos-based-priority
edit 15
set tos 2
set priority high
next
end
If Traffic Shaping is enabled in the security policy using shared traffic shapers, the FortiGate unit may instead or also subject packets to traffic policing, or priority queue increase in an effort to meet bandwidth guarantees configured in the shaper:
config firewall shaper traffic-shaper
edit <shaper_name>
...
set priority {high | medium | low}
set maximum-bandwidth <rate>
set guaranteed-bandwidth <rate>
end
where high has a priority value of 1 and low is 3, and <rate> is the bandwidth limit in kilobits per second.
Figure 314: Traffic queuing as packet rate increases
If the current packet rate is less than Guaranteed Bandwidth, packets use priority queue 0. In other words:
packet priority = 0
If the current packet rate is greater than Guaranteed Bandwidth but less than Maximum Bandwidth, the FortiGate unit assigns a priority queue by adding the numerical value of the security policy-based priority, where the value of High is 1, and Low is 3, with the numerical value of the ToS-based priority, where high has a priority value of 0 and low is 2. Because the two values are added, depending on the your configured ToS-based priorities, packets in this category could use queues from queue 1 to queue 5. In other words:
packet priority = ToS-based priority + security policy-based priority
For example, if you have enabled Traffic Shaping in the security policy, and the security policy’s Traffic Priority is Low (value 3), and the priority normally applied to packets with that ToS bit is medium (value 1), then packets have a total packet priority of 4, and use priority queue 4.
If the current packet rate exceeds Maximum Bandwidth, excess packets are dropped.
See also 
FortiGate traffic
Through traffic
Quality of Service
Calculation and regulation of packet rates