Chapter 17 Traffic Shaping for FortiOS 5.0 : Examples : QoS using priority from security policies
  
QoS using priority from security policies
Configurations implementing QoS using the priority values defined in security policies are capable of applying bandwidth limits and guarantees.
In addition to configuring traffic shaping, you may also choose to limit bandwidth accepted by each interface. This can be useful in scenarios where bandwidth being received on source interfaces frequently exceeds the maximum bandwidth limit defined in the security policy. In this case, rather than wasting processing power on packets that will only be dropped later in the processing to enforce those limits, you may choose to preemptively police the traffic.
Note that if you implement QoS using security policies rather than ToS bit, the FortiGate unit applies QoS to all packets controlled by the policy. Control is less granular than prioritization by ToS bit, but has the benefits of correlating quality of service to a security policy, enabling you to distribute traffic over up to four of the possible 6 priority queues (queue 0 to queue 3), not requiring other devices in your network to set or respect the ToS bit, and of enabling you to configure bandwidth limits and guarantees.
In this example, we limit the bandwidth accepted by each source interface, limit the bandwidth used by sessions controlled by the security policy, and then configure prioritized queuing on the destination interface based upon the priority in the security policy, subject to alternative assignment to queue 0 when necessary to achieve the guaranteed packet rate.
To limit bandwidth accepted by an interface
In the CLI, enter the following commands:
config system interface
edit <name_str>
set inbandwidth <rate_int>
next
end
where <rate_int> is the bandwidth limit in Kb/s. Excess packets will be dropped.
To configure bandwidth guarantees, limits, and priorities
1. Go to Firewall Objects > Traffic Shaper > Shared, and select Create New.
2. Enter a name for the shaper.
3. Enter the Guaranteed Bandwidth, if any.
Bandwidth guarantees affect prioritization. While packet rates are less than this rate, they use priority queue 0. If this is not the effect you intend, consider entering a small guaranteed rate, or enter 0 to effectively disable bandwidth guarantees.
4. Enter a Maximum Bandwidth.
Packets greater than this rate will be discarded.
5. Select the Traffic Priority.
High has a priority value of 1, while Low is 3. While the current packet rate is below Guaranteed Bandwidth, the FortiGate unit will disregard this setting, and instead use priority queue 0.
6. Select OK.
See also 
Sample configuration
QoS using priority from ToS or differentiated services
Example setup for VoIP