FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home > Online Help

> Chapter 24 - Traffic Shaping > Examples

Examples

While it is possible to configure QoS using a combination of security policies and in ToS­based priorities, and to distribute traffic over all six of the possible queues for each physical interface, the results of those configurations can be more difficult to analyze due to their complexity. In those cases, prioritization behavior can vary by several factors, including traffic volume, ToS (type of service) or differentiated services markings, and correlation of session to a security policy.

The following simple examples illustrate QoS configurations using either prioritization by security policy, or prioritization by ToS bit, but not both. The examples also assume you are not configuring traffic shaping for interfaces that receive hardware acceleration from network processing units (NPU).

QoS using priority from security policies

Configurations implementing QoS using the priority values defined in the security policies are capable of applying bandwidth limits and guarantees.

In addition to configuring traffic shaping, you may also choose to limit the bandwidth accepted by each interface. This can be useful in scenarios where the bandwidth received on source interfaces frequently exceeds the maximum bandwidth limit defined in the security policy. Rather than waste processing power on packets that will get dropped later in the process, you may choose to preemptively police the traffic.

If you decide to implement QoS using security policies rather than ToS bit, the FortiGate unit applies QoS to all packets controlled by the policy. This type of control is less granular than prioritization by ToS bit, but has the benefits of correlating quality of service to a security policy. This correlation enables you to distribute traffic over up to four of the possible 6 priority queues (queue 0 to queue 3), does not require other devices in your network to set or respect the ToS bit, and enables you to configure bandwidth limits and guarantees.

In the following example, we limit the bandwidth accepted by each source interface, limit the bandwidth used by sessions controlled by the security policy, and then configure prioritized queuing on the destination interface based upon the priority in the security policy, subject to alternative assignment to queue 0 when necessary to achieve the guaranteed packet rate.

To limit bandwidth accepted by an interface

In the CLI, enter the following commands:

config system interface

edit <name_str>

set inbandwidth <rate_int>

next

end

 

where <rate_int> is the bandwidth limit in Kb/s. Excess packets will be dropped.

To configure bandwidth guarantees, limits, and priorities
  1. Go to Policy & Objects > Objects > Traffic Shapers and select the Create New “Plus” sign.
  2. Select Shared or Per-IP.
  3. Enter a name for the shaper.
  4. Enter the Guaranteed Bandwidth, if any.
    Bandwidth guarantees affect prioritization. While packet rates are less than this rate, they use priority queue 0. If this is not the effect you intend, consider entering a small guaranteed rate, or enter 0 to effectively disable bandwidth guarantees.
  5. Enter a Maximum Bandwidth.
    Packets greater than this rate will be discarded.
  6. Select the Traffic Priority.
    High has a priority value of 1, while Low is 3. While the current packet rate is below Guaranteed Bandwidth, the FortiGate unit will disregard this setting, and instead use priority queue 0.
  7. Select OK.

Sample configuration

This sample configuration limits ingressing bandwidth to 500 Kb/s. It also applies separate traffic shapers to FTP and HTTP traffic. In addition to the interface bandwidth limit, HTTP traffic is subject to a security policy bandwidth limit of 200 Kb/s.

All egressing FTP traffic greater than 10 Kb/s is subject to a low priority queue (queue 3), while all egressing HTTP traffic greater than 100 Kb/s is subject to a medium priority queue (queue 2). That is, unless FTP traffic rates are lower than their guaranteed rate, and web traffic rates are greater than their guaranteed rate, FTP traffic is lower priority than web traffic.

Traffic less than these guaranteed bandwidth rates use the highest priority queue (queue 0).

Set the inbandwidth limits. This setting is only available in the CLI:

config system interface

edit wan1

set inbandwidth 500

next

end

 

Create the traffic shapers for FTP and HTTP.

To configure the FTP and HTTP shapers - web-based manager:
  1. Go to Policy and Objects > Objects > Traffic Shaper, and select the Create New “Plus” icon.
  2. Enter FTP for the name of the shaper.
  3. Set Apply Shaper to Per policy.
  4. Set the Traffic Priority to Low.
  5. Select the Guaranteed Bandwidth checkbox and enter 10 Kbps.
  6. Select the Maximum Bandwidth checkbox and enter 500 Kbps.
  7. Select OK.
  8. Select the Create New “Plus” icon.
  9. Enter HTTP for the name of the shaper.
  10. Select the Traffic Priority of Medium.
  11. Select the Guaranteed Bandwidth checkbox and enter 100 Kbps.
  12. Select the Maximum Bandwidth checkbox and enter 200 Kbps.
  13. Select OK.
To configure the FTP and HTTP shapers - CLI:

config firewall shaper traffic-shaper

edit FTP

set maximum-bandwidth 500

set guaranteed-bandwidth 10

set per-policy enable

set priority low

next

edit HTTP

set maximum-bandwidth 200

set guaranteed-bandwidth 100

set per-policy enable

set priority medium

end

QoS using priority from ToS or differentiated services

Configurations implementing QoS using the priority values defined in either global or specific ToS bit values are not capable of applying bandwidth limits and guarantees, but are capable of prioritizing traffic at per-packet levels, rather than uniformly to all services matched by the security policy.

In addition to configuring traffic prioritization, you may also choose to limit bandwidth being received by each interface. This can sometimes be useful in scenarios where you want to limit traffic levels, but do not want to configure traffic shaping within a security policy. This has the benefit of policing traffic at a point before the FortiGate unit performs most processing.

Note that if you implement QoS using ToS octet rather than security policies, the FortiGate unit applies QoS on a packet by packet basis, and priorities may be different for packets and services controlled by the same security policy. This is more granular control than prioritization by security policies, but has the drawbacks that quality of service is may not be uniform for multiple services controlled by the same security policy, packets will only use up to three of the six possible queues (queue 0 to queue 2), and bandwidth cannot be guaranteed. Other devices in your network must also be able to set or preserve ToS bits.

In this example, we limit the bandwidth accepted by each source interface, and then configure prioritized queuing on the destination interface based upon the value of the ToS bit located in the IP header of each accepted packet.

To limit bandwidth accepted by an interface, in the CLI, enter the following commands:

config system interface

edit <name_str>

set inbandwidth <rate_int>

next

end

 

where <rate_int> is the bandwidth limit in Kb/s. Excess packets will be dropped.

To configure priorities, in the CLI, configure the global priority value using the following commands:

config system global

set tos-based-priority {high | low | medium}

end

 

where high has a priority value of 0 and low is 2.

If you want to prioritize some ToS bit values differently than the global ToS-based priority, configure the priority for packets with that ToS bit value using the following commands:

config system tos-based-priority

edit <id_int>

set tos [0-15]

set priority {high | low | medium}

next

end

 

where and tos is the value of the ToS bit in the packet’s IP header, and high has a priority value of 0 and low is 2. Priority values configured in this location will override the global ToS-based priority.

Sample configuration

This sample configuration limits ingressing bandwidth to 500 Kb/s. It also queues egressing traffic based upon the ToS bit in the IP header of ingressing packets.

Unless specified for the packet’s ToS bit value, packets use the low priority queue (queue 2). For ToS bit values 4 and 15, the priorities are specified as medium (value 1) and high (value 0), respectively.

config system interface

edit wan1

set inbandwidth 500

next

end

config system global

set tos-based-priority low

end

config system tos-based-priority

edit 4

set tos 4

set priority medium

next

edit 15

set tos 15

set priority high

next

end

Example setup for VoIP

In this example, there are three traffic shaping requirements for a network:

  • Voice over IP (VoIP) requires a guaranteed, high-priority for bandwidth for telephone communications.
  • FTP bursts must be contained so as not to consume any available bandwidth. As such this traffic needs to be throttled to a smaller amount.
  • A consistent bandwidth requirement is needed for all other email and web-based traffic.

To enable this requirement, you need to create three separate shapers and three security policies for each traffic type.

For this example, the actual values are not actual values, they are used for the simplicity of the example.

Creating the traffic shapers

First create the traffic shapers that define the maximum and guaranteed bandwidth. The shared shapers will be used with some applied per-policy and some applied to all policies, to better control traffic.

VoIP shaper

The VoIP functionary is a key component to the business as a communication tool and as such requires a guaranteed bandwidth.

To create a VoIP shaper - web-based manager:
  1. Go to Policy & Objects > Objects > Traffic Shapers and select Create New.
  2. Set the Type to Shared.
  3. Enter the Name voip.
  4. Select Per Policy.
  5. Set the Traffic Priority to High.
  6. Select Maximum Bandwidth and enter 1000 Kb/s.
  7. Select Guaranteed Bandwidth and enter 800 Kb/s.
  8. Select OK.
To create a VoIP shaper - CLI:

config firewall shaper traffic-shaper

edit voip

set maximum-bandwidth 1000

set guaranteed-bandwidth 800

set per-policy enable

set priority high

end

 

This ensures that regardless of the number of policies that use this shaper, the defined bandwidth will always be the same. At the same time, the bandwidth is continually guaranteed at 800 Kb/s but if available can be as much as 1000 Kb/s. Setting the priority to high ensures that the FortiGate unit always considers VoIP traffic the most important.

FTP shaper

The FTP shaper sets the maximum bandwidth to use to avoid sudden spikes by sudden uploading or downloading of large files, and interfering with other more important traffic.

To create a FTP shaper - web-based manager:
  1. Go to Policy & Objects > Objects > Traffic Shapers and Create New.
  2. Set the Type to Shared.
  3. Enter the Name ftp.
  4. Set Apply Shaper to All Policies using this shaper.
  5. Set the Traffic Priority to Low.
  6. Select Maximum Bandwidth and enter 200 Kb/s
  7. Select Guaranteed Bandwidth and enter 200 Kb/s.
  8. Select OK.
To create a FTP shaper - CLI:

config firewall shaper traffic-shaper

edit ftp

set maximum-bandwidth 200

set guaranteed-bandwidth 200

set priority low

end

 

For this shaper, the maximum and guaranteed bandwidth are set low and to the same value. In this case, the bandwidth is restricted to a specific amount. Setting the traffic priority low ensures that more important traffic will be able to pass before FTP traffic.

Regular traffic shaper

The regular shaper sets the maximum bandwidth and guaranteed bandwidth for everyday business traffic such as web and email traffic.

To create a regular shaper - web-based manager:
  1. Go to Policy & Objects > Objects > Traffic Shapers and Create New.
  2. Set the Type to Shared.
  3. Enter the Name daily_traffic.
  4. Set Apply Shaper to Per Policy.
  5. Set the Traffic Priority to Medium.
  6. Select Maximum Bandwidth and enter 600 Kb/s
  7. Select Guaranteed Bandwidth and enter 600 Kb/s.
  8. Select OK.
To create a regular shaper - CLI:

config firewall shaper traffic-shaper

edit daily_traffic

set maximum-bandwidth 600

set guaranteed-bandwidth 600

set per-policy enable

set priority medium

end

 

For this shaper, the maximum and guaranteed bandwidth are set to a moderate value of 600 Kb/s. It is also set for per policy, which ensures each security policy for day-to-day business traffic has the same distribution of bandwidth.

Creating security policies

To employ the shaper, create security policies that use the shapers within the policies. Create a separate policy for each service and enable traffic shaping. For example, a policy for FTP traffic, a policy for SIP and so on.

For the following steps the VoIP traffic shaper is enabled as well as the reverse direction option. This ensures that return traffic for a VoIP call has the same guaranteed bandwidth as the outgoing call.

To enable traffic shaping in the security policy - web-based manager:
  1. Go to Policy & Objects > Policy > IPv4 and select Create New.
  2. Enter the following:
Incoming interface Internal interface
Source address All
Outgoing interface WAN1
Destination address All
Schedule always
Service SIP
Action ACCEPT
  1. Select Traffic Shaping.
  2. From the drop-down menu, select the voip shaper created in the previous steps.
  3. Select Reverse Direction Traffic Shaping.
  4. Select OK.
To enable traffic shaping in the security policy - CLI:

config firewall policy

edit 6

set srcintf <internal_interface>

set scraddr all

set dstintf wan1

set dstaddr all

set action accept

set schedule always

set service sip

set traffic-shaper voip

set reverse-traffic-shaper voip

end