Traffic shaping methods
There are three types of traffic shaping configurations in FortiOS. Each type has a specific function, and all types can be used together in varying configurations. Policy shaping allows you to define the maximum bandwidth and the guaranteed bandwidth set for a security policy. Per-IP traffic shaping allows you to define traffic control on a more granular level. Application traffic shaping goes further, allowing traffic controls on specific applications or application groupings.
This section describes the types of traffic shapers and how to configure them in the GUI and the CLI.
To configure traffic shaping in the GUI, you must enable Traffic Shaping in System > Feature Visibility. |
Traffic shaping options
When you configure traffic shaping for your network, you can use the following methods to control the flow of network traffic to ensure that the traffic you want gets through, while also limiting bandwidth for less important traffic or traffic that consumes a lot of bandwidth.
- Shared policy shaping - bandwidth management by security policies
- Per-IP shaping - bandwidth management by user IP addresses
- Application control shaping - bandwidth management by application
Traffic shapers allow you to define how traffic will flow by setting the traffic priority, bandwidth, and DSCP options. You create shared policy traffic shapers and per-IP traffic shapers under Policy & Objects > Traffic Shapers.
You then enable traffic shapers within the traffic shaping policy, under Policy & Objects > Traffic Shaping Policy.
You can apply application control shaping to any traffic shaping policy, under Policy & Objects > Traffic Shaping Policy. You can control traffic by application category, application, and URL category.
To apply application control shaping, you must first enable application control at the policy level, under Policy & Objects > IPv4 Policy. |
Traffic shaping policies allow you to apply traffic shaping measures to any traffic that matches your criteria. The criteria must specify a source, destination, service, and outgoing interface. Also, you must enable at least one type of traffic shaper to create a traffic shaping policy.
You can enable traffic shaping options on a FortiGate at the same time within a single traffic shaping policy. Generally, the hierarchy for traffic shapers in FortiOS is:
- Application control traffic shaper
- Shared policy traffic shaper
- Per-IP traffic shaper
Within this hierarchy, if an application control list has a traffic shaper defined, it has precedence over any other policy traffic shaper. For example, the Facebook application control example in Application control shaping supersedes any security policy enabled traffic shapers. While the Facebook application may reach its maximum bandwidth, the user can still have the bandwidth room available from the shared traffic shaper and, if enabled, the per-IP traffic shaper.
Equally, any security policy shared traffic shaper has precedence over any per-IP traffic shaper. However, traffic that exceeds any of these traffic shapers is dropped. For example, the policy traffic shaper takes effect first, but if the per-IP traffic shaper limit is reached first, the traffic for that user is dropped even if the shared traffic shaper limit for the policy hasn't been exceeded.
Shared policy traffic shaping
Traffic shaping by security policy allows you to control the maximum and guaranteed throughput for any security policies specified in the traffic shaping policy.
When you configure a traffic shaper, you can apply bandwidth shaping per policy or for all policies. Depending on your selection, the FortiGate applies the traffic shaping rules differently.
By default, shared traffic shapers apply traffic shaping evenly to all policies that use. For Per policy and All policies using this shaper options to appear in the GUI, you must first enable it in the CLI. Go to Policy & Objects > Traffic Shapers and right-click on the traffic shaper to edit it in the CLI. Enter the following CLI commands: set per-policy enable end |
Per policy
When you select a shared traffic shaper to be per policy, the FortiGate applies the traffic shaping rules to each security policy individually.
For example, if a traffic shaper is set to per policy with a maximum bandwidth of 1000 Kb/s and applied to four security policies, each policy has the same maximum bandwidth of 1000 Kb/s.
Per policy traffic shaping is compatible with client/server (active-passive) transparent mode WAN optimization rules. Traffic shaping is ignored for peer-to-peer WAN optimization and for client/server WAN optimization not operating in transparent mode.
For all policies using a traffic shaper
When you select a shared shaper to apply to all policies -All Policies using this shaper - the FortiGate applies the traffic shaping rules to all policies using the same shaper. For example, a traffic shaper is set to be per policy with a maximum bandwidth of 1000 Kbps. There are four security policies monitoring traffic through the FortiGate. All four have the traffic shaper enabled. Each security policy must share the defined 1000 Kbps, and is set on a first come, first served basis. For example, if policy 1 uses 800 Kbps, the remaining three must share 200 Kbps. As policy 1 uses less bandwidth, it's opened up to the other policies to use as required. Once used, any other policies encounters latency until free bandwidth opens from a policy currently in use.
Maximum and guaranteed bandwidth
The maximum bandwidth instructs the security policy what the largest amount of traffic allowed using the policy. Depending on the service or the users included for the security policy, this number can provide a larger or smaller throughput depending on the priority you set for the traffic shaper.
The Maximum Bandwidth can be set to a value of between 1 and 16776000 Kbps. The GUI gives an error if any value outside of this range is used, but in the CLI a value of 0 can be entered. Setting the maximum bandwidth to 0 provides unlimited bandwidth.
The guaranteed bandwidth ensures there's a consistent reserved bandwidth available for a given service or user. When setting the guaranteed bandwidth, ensure that the value is significantly less than the bandwidth capacity of the interface, otherwise no other traffic will pass through the interface or very little and potentially causing unwanted latency.
Traffic priority
Select a traffic priority of high, medium, or low, so the FortiGate manages the relative priorities of different types of traffic. For example, a policy for connecting to a secure web server that needs to support e-commerce traffic should be assigned a high traffic priority. Less important services should be assigned a low priority. The firewall provides bandwidth to low-priority connections only when bandwidth isn't needed for high-priority connections.
Be sure to enable traffic shaping on all security policies. If you don't apply a traffic shaping rule to a policy, the policy is set to high priority by default. Distribute security policies over all three priority queues.
Traffic shaping policy order
You must also place the traffic shaping policies in the correct order in the traffic shaping policy list page to get the desired results. It's necessary to arrange your traffic shaping policies into a sequence that places your more granular policies above general Internet access policies. For example, you should place any policies with application control shaping at the top of the traffic shaping policy list, followed by more general traffic shaping policies with shared policy shapers and per-IP traffic shapers.
The policy list page is located under Policy & Objects > Traffic Shaping Policy. To change the order of the policies, select the far left column to move the policy up or down. Make sure that the ID column is showing on your menu so you can easily verify a policy's position in the sequence.
For example, you can place a high priority VoIP traffic shaping policy at the top of the list, followed by restrictive policies that control streaming media, and your general Internet access policy last.
Traffic shaping policy configuration settings
To configure a traffic shaping policy, go to Policy & Objects > Traffic Shaping Policy and select Create New to create a new traffic shaping policy.
Policies are enabled by default. If you want to disable a traffic shaping policy, set Status to Disabled.
Set the If Traffic Matches section to the default options shown below or specify the criteria so that it matches a specific security policy.
Source | all (default) |
Destination | all (default) |
Service | ALL (default) |
Application Category | Choose an application category to apply traffic shaping to a specific category of applications, such as P2P, Social.Media, or VoIP. |
Application | Choose an application to specify which applications you want to apply traffic shaping to, such as YouTube, Vimeo, or Facebook. |
URL Category | Choose a URL category to block a subset of applications. For example, you can block potentially liable websites, security risks, and bandwidth consuming services. |
Set the options in the Then section to the following:
Outgoing Interface |
any Set this to the external interface that you want to apply traffic shaping to. For example, wan1 is often used. |
Shared Shaper |
This affects uploads or outbound traffic. Choose one of the default shared traffic shapers: guarantee-100kbps, high-priority, medium-priority, low-priority, shared-1M-pipe, or create your own under Policy & Objects > Traffic Shapers. Shared traffic shapers share the allotted bandwidth with any security policies using them (unless they're set to per-policy in the CLI). |
Reverse Shaper |
This affects downloads or inbound traffic. Choose one of the default shared traffic shapers: guarantee-100kbps, high-priority, medium-priority, low-priority, shared-1M-pipe, or create your own under Policy & Objects > Traffic Shapers. |
Per-IP Shaper |
Per-IP shapers affect downloads and uploads. Enable a per-IP traffic shaper if you want to apply traffic shaping by bandwidth management by user IP addresses. You create traffic shapers under Policy & Objects > Traffic Shapers. |
To create the traffic shaping policy – CLI:
config firewall shaping-policy
edit <shaping_policy_ID>
set srcaddr <source_address>
set dstaddr <destination_address>
set service <service_name>
set schedule {always | none}
application <application_name>
app-category <application_category_ID_list>
url-category <URL_category_ID_list>
dstintf <destination_interface_list>
traffic-shaper <shared_shaper_name>
traffic-shaper-reverse <reverse_traffic_shaper_name>
per-ip-shaper <per_IP_shaper_name>
end
VLAN, VDOM, and virtual interfaces
Policy-based traffic shaping doesn't use queues directly. It shapes the traffic and if the packet is allowed by the security policy, a priority is assigned. That priority controls what queue the packet is put in upon egress. VLANs, VDOMs, aggregate ports, and other virtual devices don't have queues and, as such, traffic is sent directly to the underlying physical device where it's queued and affected by the physical ports. This is also the case with IPsec connections.
Shared traffic shaper configuration settings
To configure a shared traffic shaper go to Policy & Objects > Traffic Shapers and select Create New to create a new traffic shaper.
Type | Select Shared. |
Name | Enter a name for the traffic shaper. |
Apply shaper | When selecting a traffic shaper to be Per policy, the FortiGate applies the traffic shaping rules defined to each security policy individually. For example, if a traffic shaper is set to per policy, with a maximum bandwidth of 1000 Kbps, any security policies that have that traffic shaper enabled get 1000 Kbps of bandwidth each. When selecting a traffic shaper to apply to all policies (All policies using this shaper), the FortiGate applies the traffic shaping rules to all policies using the same traffic shaper. For example, the traffic shaper is set to be per policy with a maximum bandwidth of 1000 Kbps. There are four security policies monitoring traffic through the FortiGate. All four have the traffic shaper enabled. Each security policy must share the defined 1000 Kbps, and is set on a first come, first served basis. For example, if policy 1 uses 800 Kbps, the remaining three must share 200 Kbps. As policy 1 uses less bandwidth, that open bandwidth becomes available to the other policies to use as required. Once used, any other policies encounter latency until free bandwidth opens from a policy currently in use. |
Traffic Priority | Select level of importance priority so the FortiGate manages the relative priorities of different types of traffic. For example, a policy for connecting to a secure web server needed to support e-commerce traffic should be assigned a high traffic priority. Less important services should be assigned a low priority. If you don't apply a traffic shaping priority, the priority is set to High, by default. |
Max Bandwidth | The maximum bandwidth instructs the security policy what the largest amount of traffic allowed using the policy. Depending on the service or the users included for the security policy, this number provides a larger or smaller throughput depending on the priority you set for the traffic shaper. Setting Max Bandwidth to 0 provides unlimited bandwidth. |
Guaranteed Bandwidth |
The guaranteed bandwidth ensures that a consistent reserved bandwidth is available for a given service or user. Ensure that you set the bandwidth to a value that's significantly less than the bandwidth capacity of the interface. Otherwise, little to no traffic passes through the interface and potentially causes unwanted latency. Setting Guaranteed Bandwidth to 0 provides unlimited bandwidth. |
DSCP | Enter the number for the DSCP value. You can use the FortiGate Differentiated Services feature to change the DSCP (Differentiated Services Code Point) value for all packets accepted by a policy. The network can use these DSCP values to classify, mark, shape, and police traffic, and to perform intelligent queuing. DSCP features are applied to traffic by configuring the routers on your network to apply different service levels to packets depending on the DSCP value of the packet. For more information, see Traffic shaping methods. |
Shared traffic shaper per policy example
The following steps create a per policy traffic shaper called “Throughput” with a maximum traffic amount of 720,000 Kbps, and a guaranteed traffic of 150,000 Kbps with a high traffic priority.
To create the shared traffic shaper – GUI:
- Go to Policy & Objects > Traffic Shapers and select Create New.
- Set the Type to Shared.
- Enter the Name
Throughput
. - Set the Apply shaper field to Per policy.
By default, shared traffic shapers apply traffic shaping evenly to all policies that use it. For Per policy and All policies using this shaper options to appear in the GUI, you must first enable it in the CLI. Go to Policy & Objects > Traffic Shapers and right-click on the traffic shaper to edit it in the CLI. Enter the following CLI commands: set per-policy enable end |
- Set the Traffic Priority to High.
- Enable Max Bandwidth and enter the value
150000
. - Enable Guaranteed Bandwidth and enter the value
120000
. - Select OK.
To create the shared traffic shaper – CLI:
config firewall shaper traffic-shaper
edit Throughput
set per-policy enable
set maximum-bandwidth 150000
set guaranteed-bandwidth 120000
set priority high
end
Per-IP traffic shaping
Traffic shaping by IP allows you to apply traffic shaping to all source IP addresses in the security policy. In addition to controlling the maximum bandwidth users of a selected policy, you can also define the maximum number of concurrent sessions.
Per-IP traffic shaping allows you to limit the behavior of every member of a policy to avoid having one user use all of the available bandwidth. The bandwidth is shared equally within a group. Using a per-IP traffic shaper avoids having to create multiple policies for every user you want to apply a traffic shaper. Per-IP traffic shaping isn't supported over NP2 interfaces.
Per-IP traffic shaping configuration settings
To configure per-IP traffic shaping go to Policy & Objects > Traffic Shapers and select Create New.
Type | Select Per-IP. |
Name | Enter a name for the per-IP traffic shaper. |
Max Bandwidth | The maximum bandwidth instructs the security policy what the largest amount of traffic allowed using the policy. Depending on the service or the users included for the security policy, this number can provide a larger or smaller throughput depending on the priority you set for the traffic shaper. Setting Max Bandwidth to 0 (zero) provides unlimited bandwidth. |
Max Concurrent Connections | Enter the maximum allowed concurrent connections. |
Forward DSCP Reverse DSCP |
Enter the number for the DSCP value. You can use the FortiGate Differentiated Services feature to change the DSCP (Differentiated Services Code Point) value for all packets accepted by a policy. The network can use these DSCP values to classify, mark, shape, and police traffic, and to perform intelligent queuing. DSCP features are applied to traffic by configuring the routers on your network to apply different service levels to packets depending on the DSCP value of the packet. For more information, see Traffic shaping methods. |
Example
The following steps create a per-IP traffic shaper called “Accounting” with a maximum traffic amount of 720,000 Kbps, and the number of concurrent sessions of 200.
To create the per-IP traffic shaper – GUI:
- Go to Policy & Objects > Traffic Shapers and select Create New.
- Set the Type to Per-IP.
- Enter the Name
Accounting
. - Enable the Max Bandwidth and enter the value
720000
. - Enable the Max Concurrent Sessions and enter the value
200
. - Select OK.
To create the per-IP traffic shaper – CLI:
config firewall shaper per-ip-shaper
edit Accounting
set max100-bandwidth 720000
set max-concurrent-session 200
end
Adding a per-IP traffic shaper to a traffic shaping policy
Per-IP traffic shaping is supported by IPv6 security policies. You can add any per-IP traffic shaper to an IPv6 security policy in the CLI.
Policies are enabled by default. If you want to disable a traffic shaping policy, set Status to Disabled.
Example
The following steps show you how to add an existing per-IP traffic shaper to an IPv6 security policy. Make sure that you have already created a per-IP traffic shaper under Policy & Objects > Traffic Shapers.
To add a per-IP traffic shaper to an IPv6 security policy - GUI:
- Go to Policy & Objects > IPv6 Policy and select Create New to create an Internet access policy.
- Set the following:
Name | Enter a descriptive name |
Incoming Interface | Internal |
Outgoing Interface | wan1 |
Source | all |
Destination Address | all |
Schedule | always |
Service | ALL |
Action | ACCEPT |
- Select OK.
- Go to Policy & Objects > Traffic Shaping Policy and Create New to create a new traffic shaping policy.
- To apply your traffic shaping policy to the security policy you created earlier set the If Traffic Matches to the following:
Source | all |
Destination | all |
Service | ALL |
Application Category | - |
Application | - |
URL Category | - |
- In the Then section, set the following:
Outgoing Interface |
any The outgoing interface should match the outgoing interface of the security policy you want to apply traffic shaping to. |
Shared Shaper | - |
Reverse Shaper | - |
Per-IP Shaper | Enable Per-IP Shaper and select your traffic shaper from the drop-down menu. |
- Select OK.
- On the Traffic Shaping Policy page, move the per-IP traffic shaper to the top of the list by clicking on the far left column to drag and drop it.
There are two methods to configure traffic shaping in the CLI. You can add a per-IP traffic shaper directly to an IPv6 security policy, or you can add a per-IP shaper to a traffic shaping policy. The second method will allow you to apply traffic shaping based on the interface and can therefore affect multiple security policies easily. The first method requires that you enable traffic shaping individually in all policies using the same two interfaces.
To add a per-IP traffic shaper to an IPv6 security policy – CLI:
config firewall policy6
edit <security_policy_ID_number>
set per-ip-shaper <per_IP_shaper_name>
end
To add a per-IP traffic shaper to an IPv6 traffic shaping policy – CLI:
config firewall shaping-policy
edit 1 <security_policy_ID_number>
set ip-version 6
set srcaddr <source_address>
set dstaddr <destination_address>
set service <service_name>
set dstintf <outgoing_interface>
set per-ip-shaper <per_IP_shaper_name>
end
Application control shaping
Traffic shaping is also possible for specific applications. Application control shaping works in conjunction with a shared traffic shaper or per-IP traffic shaper. You must create a traffic shaper with the bandwidth settings you would like to enforce or edit one of the predefined traffic shapers on the Traffic Shapers page.
Traffic shaping policies allow you to enable these traffic shapers and configure application control options. In the traffic shaping policy, you can set an Application Category, Application, and URL Category. You must also specify which security policies to apply your traffic shaper to by setting the options in the If Traffic Matches section.You create a traffic shaping policy in the Policy & Objects > Traffic Shaping Policy section.
For application control shaping to work, application control must be enabled in a security policy, through Policy & Objects > IPv4 Policy or Policy & Objects > IPv6 Policy in the Security Profiles section. Also, application control traffic shaping affects only applications that are set to pass in Security Profiles > Application Control. |
Policies are enabled by default. If you want to disable a traffic shaping policy, set Status to Disabled.
Example
This example sets the traffic shaping definition for Facebook to medium priority, which is a default traffic shaper.
To add traffic shaping for Facebook – GUI:
- Go to Policy & Objects > IPv4 Policy to create a general Internet access security policy.
- Select Create New to create a new security policy (or edit an existing Internet access policy).
- Set the following to enable application control within a security policy:
Name | Enter a descriptive name. |
Incoming Interface | Internal |
Outgoing Interface | wan1 |
Source | all |
Destination | all |
Schedule | always |
Service | ALL |
Action | ACCEPT |
Application Control | In the Security Profiles section, enable Application Control and select the default application control profile. |
- Select OK.
- Go to Policy & Objects > Traffic Shaping Policy and select Create New to create a new traffic shaping policy.
- To apply your traffic shaping policy to the security policy you created earlier, set the If Traffic Matches to the following:
Source | all |
Destination | all |
Service | ALL |
Application Category | Social.Media |
Application | |
URL Category | Social Networking |
- In the Then section, set the following:
Outgoing Interface |
any The outgoing interface should match the outgoing interface of the security policy you want to apply shaping to. |
Shared Shaper | Enable Shared Shaper and select medium-priority from the drop-down menu. |
Reverse Shaper | Enable Shared Shaper and select medium-priority from the drop-down menu. |
- Select OK.
- On the Traffic Shaping Policy page, move the Facebook traffic shaping policy to the top of the list by clicking on the far left column to drag and drop it.
To create a traffic shaping policy for Facebook – CLI:
config firewall shaping-policy
edit 1 <shaping_policy_ID_number>
set srcaddr all
set dstaddr all
set service ALL
set application 15832
set app-category 23 <Social.Media>
set url-category 37 <Social Networking>
set dstintf wan1 <outgoing_interface>
set traffic-shaper medium-priority
set reverse-traffic-shaper medium-priority
end
Reverse direction traffic shaping
The traffic shaper you select in the traffic shaping policy (shared traffic shaper) affects the traffic in the direction defined in the policy. For example, if the source port is lan and the destination is wan1, the traffic shaping affects the flow in this direction only — affecting the upload speed of the outbound traffic. You can define the traffic shaper for the policy in the opposite direction to affect the download speed of the inbound traffic. In this example, from wan 1 to lan.
To add a reverse shaper – GUI:
- Go to Policy & Objects > Traffic Shaping Policy.
- Select Create New or select an existing policy and click Edit.
- Set the If Traffic Matches to match the interfaces of any security policies you want to affect.
- Navigate to the Then section, enable the Shared Shaper, and select a traffic shaper from the drop-down menu.
- Enable the Reverse Shaper and select a traffic shaper from the drop-down menu.
- Select OK.
Setting the reverse direction only
There may be instances where you only need traffic shaping for incoming connections, which is in the reverse direction of typical traffic shapers.
To add a reverse traffic shaper – GUI:
- Go to Policy & Objects > Traffic Shaping Policy.
- Click Create New or select an existing policy and click Edit.
- Set the If Traffic Matches to match the interfaces of any security policies you want to affect.
- Navigate to the Then section, enable the Reverse Shaper and select a traffic shaper from the drop-down menu.
- Select OK.
To configure a reverse-only traffic shaper in a traffic shaping policy – CLI:
config firewall shaping-policy
edit <policy_number>
set reverse-traffic-shaper medium-priority
end
To configure a reverse-only shaper within a security policy – CLI:
config firewall policy
edit <policy_number>
...
set traffic-shaper-reverse <shaper_name>
end
Enabling traffic shaping in the security policy
Historically, FortiOS traffic shapers have always been enabled within a security policy. This is no longer the easiest way to apply traffic shapers, since in FortiOS 5.4 traffic shaping is now configured in the traffic shaping policy section, under Policy & Objects > Traffic Shaping Policy. However, you can still enable traffic shapers within a security policy using CLI commands and it will then appear in the GUI afterwards. The traffic shapers always go into effect after any DoS detection policies, and before any routing or packet scanning occurs.
Traffic shaping is also supported for IPv6 policies.
This isn't the recommended method, as it's easier to keep track of and order your traffic shaping policies if you configure them within a traffic shaping policy. |
To enable traffic shaping within a security policy – CLI:
config firewall policy
edit <policy_number>
...
set traffic-shaper <traffic_shaper_name>
set reverse-traffic-shaper <traffic_shaper_name>
set per-ip-shaper <per_IP_traffic_shaper_name>
end
Shared traffic shapers affect outbound traffic heading to a destination. To affect inbound traffic, or downloads, enable the Reverse Shaper also. For more information, see Reverse direction traffic shaping.
Scheduling traffic shaping policies
You can apply different traffic shaping profiles at different times. This "schedule
" attribute is available in the CLI, and you can use this feature to apply a recurring schedule to your traffic shaping policies. The default recurring schedule options available are always or none. You can also create new schedules or schedule groups under Policy & Objects > Schedules. This allows you to create custom recurring or one-time schedules that can then be applied to your traffic shaping policies using the CLI commands below.
To schedule traffic shaping policies – CLI:
config firewall shaping-policy
edit <shaping_policy_ID>
set schedule {always | none}
end
ToS priority
Type of service (ToS) is an 8-bit field in the IP header that allows you to determine how the IP datagram should be delivered, using criteria of delay, throughput, priority, reliability, and cost. Each quality helps gateways determine the best way to route datagrams. A router maintains a ToS value for each route in its routing table. The lowest priority ToS is 0, and the highest is 7 when bits 3, 4, and 5 are all set to 1. There are other seldom used or reserved bits that aren't listed here.
Together these bits are the ToS variable of the tos‑based-priority
command. The router tries to match the ToS of the datagram to the ToS on one of the possible routes to the destination. If there's no match, the datagram is sent over a zero ToS route. Using increased quality may increase the cost of delivery because better performance may consume limited network resources.
Each bit represents the priority as defined in RFC 1349:
- 1000 - minimize delay
- 0100 - maximize throughput
- 0010 - maximize reliability
- 0001 - minimize monetary cost
To set the ToS value – CLI:
config system tos-based-priority
edit <sequence_number>
set tos [0-15]
set priority {high | medium | low}
end
Where tos
is the value of the type of service bit in the IP datagram header with a value between 0 and 15, and priority
is the priority of this type of service priority. These priority levels conform to the firewall traffic shaping priorities, as defined in RFC 1349.
For example, if you want to configure a FortiGate so that reliability is the first priority, set the ToS value to 4.
config system tos-based-priority
edit 1
set tos 4
set priority high
end
For a list of ToS values and their DSCP equivalents, see Traffic mapping.
Example
config system tos-based-priority
edit 1
set tos 1
set priority low
next
edit 4
set tos 4
set priority medium
next
edit 6
set tos 6
set priority high
next
end
ToS in FortiOS
Traffic shaping and ToS follow the following sequence:
- The CLI command
tos-based-priority
acts as atos-to-priority
mapping. FortiOS maps the ToS to a priority when it receives a packet. - Traffic shaping settings adjust a packet’s priority according to the traffic.
- Deliver the packet based on its priority.
Traffic shaping units of measurement
Bandwidth speeds are measured in kilobits per second (Kbps), and bytes that are sent and received are measured in megabytes (MB). Occasionally this can cause confusion depending on whether your ISP uses kilobits per second (Kbps), kilobytes per second (KBps), megabits per second (Mbps), or gigabits per second (Gbps).
Download speeds
- 1 kilobyte per second (KBps) = 8 kilobits per second (Kbps)
- 1 megabit per second (Mbps) = 1,000,000 bits per second (bps)
- 1 gigabit per second (Gbps) = 1,000 megabits per second (Mbps)
File sizes
- 1 megabyte (MB) = 1,024 kilobytes (KB)
- 1 gigabyte (GB) = 1,024 megabytes (MB) or 1,048,576 kilobytes (KB)
To change a traffic shaper's unit of measurement - CLI:
config firewall shaper traffic-shaper
edit <traffic_shaper_name>
set bandwidth-unit {kbps | mbps | gbps}
end
Interface-based traffic shaping
You can enable traffic shaping on an interface. This allows you to enforce bandwidth limits for individual interfaces, by percentage. To configure interface-based traffic shaping, you must classify traffic in a traffic shaping policy, assign bandwidth percentages in a traffic shaping profile, and apply the traffic shaping profile as the egress traffic shaper on an interface.
Currently, only egress traffic shaping is available. To achieve ingress traffic shaping, you can typically configure egress traffic shaping on the alternate interface. For example, if you want to control inbound traffic on the WAN interface of the FortiGate, you can apply outbound traffic shaping to the LAN interface. |
Classifying traffic
You can use a traffic shaping policy to classify traffic. Edit a traffic shaping policy using the config firewall shaping-policy
command, and set the class-id command
. A FortiGate stores the class-id
on the kernel session, so that it can quickly categorize any traffic that matches the criteria you define in the traffic shaping policy.
To set the traffic class – CLI:
config firewall shaping-policy
edit <shaping_policy_ID>
...
set class-id <value>
next
end
where class-id
is a value in the range of 2 to 31.
Assigning bandwidth percentages
You can assign bandwidth percentages, using the config firewall shaping-profile
command. Set a bandwidth guarantee using the guaranteed-bandwidth-percentage
command and set a maximum bandwidth using the maximum-bandwidth-percentage
.
To assign bandwidth percentages in a traffic shaping profile – CLI:
config firewall shaping-profile
edit <egress_shaper_name>
set default-class-id 2
config shaping-entries
edit 1
set class-id 2
set priority low {low | medium | high}
set guaranteed-bandwidth-percentage 3
set maximum-bandwidth-percentage 50
next
edit 3
set class-id 5
set priority low {low | medium | high}
set guaranteed-bandwidth-percentage 3
set maximum-bandwidth-percentage 50
next
end
end
where you set the following variables:
Variable | Description |
---|---|
default-class-id
|
The default class ID handles unclassified packets, including all local traffic. You must define the default class ID, since unclassified traffic must be controlled. Note that any traffic class that's defined in the traffic shaping policy, but isn't defined in the traffic shaping profile, is classified as part of the default class ID. |
class-id
|
The class-id is a value in the range of 2 to 31. |
priority
|
The priority assigned (low, medium, high) to the class also plays a critical role in the bandwidth algorithm. Basically, priority decides which class can win when multiple classes compete for the available bandwidth on the interface. |
guaranteed-bandwidth-percentage
|
The For example, if you set the |
maximum-bandwidth-percentage
|
The |
Important requirements:
|
Apply the traffic shaping profile
You can apply the egress traffic shaper to an interface, using the config system interface
command to edit the interface of your choice. Then, set the inbandwidth
and outbandwidth
values to the total amount of bandwidth that's available on the interface. Set the egress-shaping-profile
to the traffic shaping profile you want to apply.
To apply the egress shaper to an interface – CLI:
config system interface
edit <interface-name>
set inbandwidth <limit>
set outbandwidth <limit>
set egress-shaping-profile <egress_shaper_name>
next
end
where the inbandwidth
and outbandwidth
value is the total amount of bandwidth that's available on the interface, from a value in the range of 0 to 1677600 kbps.
You should set the egress-shaping-profile
value to the traffic shaping profile you want to apply.
Example of competing priority classes
The following example can help you understand how the bandwidth algorithm uses both the class ID, and priority settings to determine which class wins when there are competing traffic classes. These examples are based on the assumption that the traffic volume of each class is larger than its allocated bandwidth.
If a class has a small traffic volume, other classes can borrow unused bandwidth from it. In the following example, if class 2 has 100 MB of traffic and class 3 has 1 GB of traffic, then you should set the bandwidth for class 2 to 100 MB and for class 3 to 900 MB. |
Class | Priority | guaranteed-bandwidth-percentage (%) | maximum-bandwidth-percentage (%) |
---|---|---|---|
2 | high | 20% | 100% |
3 | low | 20% | 100% |
If the profile configuration matches the table above, and the profile is applied to an egress interface with a total bandwidth of 1 GB, and both class 2 and class 3 have 1 GB of generated traffic, the results are the following:
Class | Priority | Actual bandwidth |
---|---|---|
2 | high | 80% of 1 GB (800 MB) |
3 | low | 20% of 1 GB (200 MB) |
The reason for the results are that both class 2 and 3 are assigned guaranteed bandwidth first, which is 200 MB each (20% of 1 GB). The remaining bandwidth of 600 MB is then allocated to class 2, because it has a higher priority.
The algorithm can get a bit more complex when you assign multiple classes with the same priority. When the same priority classes compete for available bandwidth, the allocation to each class is proportional to its guaranteed-bandwidth-percentage
.
Here's a slightly more complex example:
Class | Priority | guaranteed-bandwidth-percentage (%) | maximum-bandwidth-percentage (%) |
---|---|---|---|
2 | high | 20% | 100% |
3 | low | 20% | 100% |
4 | high | 30% | 100% |
If the profile configuration matches the table above, and is attached to an egress interface with a total bandwidth of 1 GB, and classes 2, 3, and 4 have 1 GB of traffic generated, the results are the following:
Class | Priority | Actual bandwidth |
---|---|---|
2 | high | 200MB + 120MB = 320MB |
3 | low | 200MB + 0 = 200MB |
4 | high | 300MB + 180MB = 480MB |
The reason for the results are that all classes are assigned the guaranteed bandwidth first, which is 200 MB, 200 MB, and 300 MB respectively. The remaining bandwidth of 300 MB is then allocated to class 2 and class 4, because of their higher priority settings. The allocation for the remaining 300MB is proportional to their guaranteed bandwidth. In this case, it is 120 MB for class 2 (300 MB * 20 / 50) and 180MB for class 4 (300 MB * 30 / 50).
Internet services support
The Internet Service Database (ISDB) and IP Reputation Database (IRDB) enhance traffic shaping criteria for traffic shaping policies.
To use Internet services in a traffic shaping policy, you must set the Source or Destination to one or more of the Internet services listed in the Internet Service tab.
To create a traffic shaping policy that uses Internet services – GUI:
- Create a new traffic shaping policy under Policy & Objects > Traffic Shaping Policy.
- Add the Internet Service of your choice to the Source and Destination by selecting from the Internet Service tab on the far right.
- Set the Outgoing Interface to the egress port that traffic passes through.
To create a traffic shaping policy that uses Internet services – CLI:
config firewall shaping-policy
edit <shaping_policy_ID>
set internet-service {enable | disable}
set internet-service-id <service_ID>
set internet-service-custom <custom_Internet_service_name>
set internet-service-src {enable | disable}
set internet-service-src-id <Internet_service_source_ID>
set internet-service-src-custom <custom_Internet_service_source_name>
next
end
where you set the following variables:
Option | Description |
---|---|
internet-service
|
Enables or disables the use of Internet services for this policy. If enabled, the FortiGate uses the Internet service destination address and service. |
internet-service-id
|
The Internet service ID. For example:
|
internet-service-custom
|
Enter a custom Internet service name. |
internet-service-src
|
Enables or disables the use of Internet services in source for this policy. If enabled, the FortiGate uses the Internet Services source address. |
internet-service-src-id
|
The Internet service source ID. For example:
|
internet-service-src-custom
|
The custom Internet service source name. NOTE: This custom name must already be configured. |