QoS using priority from security policies
Configurations implementing QoS using the priority values defined in the security policies are capable of applying bandwidth limits and guarantees.
In addition to configuring traffic shaping, you may also choose to limit the bandwidth accepted by each interface. This can be useful in scenarios where the bandwidth received on source interfaces frequently exceeds the maximum bandwidth limit defined in the security policy. Rather than waste processing power on packets that will get dropped later in the process, you may choose to preemptively police the traffic.
If you decide to implement QoS using security policies rather than ToS bit, the FortiGate unit applies QoS to all packets controlled by the policy. This type of control is less granular than prioritization by ToS bit, but has the benefits of correlating quality of service to a security policy. This correlation enables you to distribute traffic over up to four of the possible 6 priority queues (queue 0 to queue 3), does not require other devices in your network to set or respect the ToS bit, and enables you to configure bandwidth limits and guarantees.
In the following example, we limit the bandwidth accepted by each source interface, limit the bandwidth used by sessions controlled by the security policy, and then configure prioritized queuing on the destination interface based upon the priority in the security policy, subject to alternative assignment to queue 0 when necessary to achieve the guaranteed packet rate.
To limit bandwidth accepted by an interface
In the CLI, enter the following commands:
config system interface
edit <name_str>
set inbandwidth <rate_int>
next
end
where <rate_int> is the bandwidth limit in Kb/s. Excess packets will be dropped.
To configure bandwidth guarantees, limits, and priorities
1. Go to Policy & Objects > Objects > Traffic Shapers and select the Create New “Plus” sign.
2. Select Shared or Per-IP.
3. Enter a name for the shaper.
4. Enter the Guaranteed Bandwidth, if any.
Bandwidth guarantees affect prioritization. While packet rates are less than this rate, they use priority queue 0. If this is not the effect you intend, consider entering a small guaranteed rate, or enter 0 to effectively disable bandwidth guarantees.
5. Enter a Maximum Bandwidth.
Packets greater than this rate will be discarded.
6. Select the Traffic Priority.
High has a priority value of 1, while Low is 3. While the current packet rate is below Guaranteed Bandwidth, the FortiGate unit will disregard this setting, and instead use priority queue 0.
7. Select OK.
See also