Traffic shaping methods

There are three types of traffic shaping configurations in FortiOS. Each type has a specific function, and all types can be used together in varying configurations. Policy shaping allows you to define the maximum bandwidth and the guaranteed bandwidth set for a security policy. Per-IP traffic shaping allows you to define traffic control on a more granular level. Application traffic shaping goes further, allowing traffic controls on specific applications or application groupings.

This section describes the types of traffic shapers and how to configure them in the GUI and the CLI.

note icon

To configure traffic shaping in the GUI, you must enable Traffic Shaping in System > Feature Visibility.

Traffic shaping options

When you configure traffic shaping for your network, you can use the following methods to control the flow of network traffic to ensure that the traffic you want gets through, while also limiting bandwidth for less important traffic or traffic that consumes a lot of bandwidth.

  • Shared policy shaping - bandwidth management by security policies
  • Per-IP shaping - bandwidth management by user IP addresses
  • Application control shaping - bandwidth management by application

Traffic shapers allow you to define how traffic will flow by setting the traffic priority, bandwidth, and DSCP options. You create shared policy traffic shapers and per-IP traffic shapers under Policy & Objects > Traffic Shapers.

You then enable traffic shapers within the traffic shaping policy, under Policy & Objects > Traffic Shaping Policy.

You can apply application control shaping to any traffic shaping policy, under Policy & Objects > Traffic Shaping Policy. You can control traffic by application category, application, and URL category.

note icon To apply application control shaping, you must first enable application control at the policy level, under Policy & Objects > IPv4 Policy.

Traffic shaping policies allow you to apply traffic shaping measures to any traffic that matches your criteria. The criteria must specify a source, destination, service, and outgoing interface. Also, you must enable at least one type of traffic shaper to create a traffic shaping policy.

You can enable traffic shaping options on a FortiGate at the same time within a single traffic shaping policy. Generally, the hierarchy for traffic shapers in FortiOS is:

  • Application control traffic shaper
  • Shared policy traffic shaper
  • Per-IP traffic shaper

Within this hierarchy, if an application control list has a traffic shaper defined, it has precedence over any other policy traffic shaper. For example, the Facebook application control example in Application control shaping supersedes any security policy enabled traffic shapers. While the Facebook application may reach its maximum bandwidth, the user can still have the bandwidth room available from the shared traffic shaper and, if enabled, the per-IP traffic shaper.

Equally, any security policy shared traffic shaper has precedence over any per-IP traffic shaper. However, traffic that exceeds any of these traffic shapers is dropped. For example, the policy traffic shaper takes effect first, but if the per-IP traffic shaper limit is reached first, the traffic for that user is dropped even if the shared traffic shaper limit for the policy hasn't been exceeded.

Shared policy traffic shaping

Traffic shaping by security policy allows you to control the maximum and guaranteed throughput for any security policies specified in the traffic shaping policy.

When you configure a traffic shaper, you can apply bandwidth shaping per policy or for all policies. Depending on your selection, the FortiGate applies the traffic shaping rules differently.

note icon

By default, shared traffic shapers apply traffic shaping evenly to all policies that use. For Per policy and All policies using this shaper options to appear in the GUI, you must first enable it in the CLI. Go to Policy & Objects > Traffic Shapers and right-click on the traffic shaper to edit it in the CLI. Enter the following CLI commands:

set per-policy enable

end

Per policy

When you select a shared traffic shaper to be per policy, the FortiGate applies the traffic shaping rules to each security policy individually.

For example, if a traffic shaper is set to per policy with a maximum bandwidth of 1000 Kb/s and applied to four security policies, each policy has the same maximum bandwidth of 1000 Kb/s.

Per policy traffic shaping is compatible with client/server (active-passive) transparent mode WAN optimization rules. Traffic shaping is ignored for peer-to-peer WAN optimization and for client/server WAN optimization not operating in transparent mode.

For all policies using a traffic shaper

When you select a shared shaper to apply to all policies -All Policies using this shaper - the FortiGate applies the traffic shaping rules to all policies using the same shaper. For example, a traffic shaper is set to be per policy with a maximum bandwidth of 1000 Kbps. There are four security policies monitoring traffic through the FortiGate. All four have the traffic shaper enabled. Each security policy must share the defined 1000 Kbps, and is set on a first come, first served basis. For example, if policy 1 uses 800 Kbps, the remaining three must share 200 Kbps. As policy 1 uses less bandwidth, it's opened up to the other policies to use as required. Once used, any other policies encounters latency until free bandwidth opens from a policy currently in use.

Maximum and guaranteed bandwidth

The maximum bandwidth instructs the security policy what the largest amount of traffic allowed using the policy. Depending on the service or the users included for the security policy, this number can provide a larger or smaller throughput depending on the priority you set for the traffic shaper.

The Maximum Bandwidth can be set to a value of between 1 and 16776000 Kbps. The GUI gives an error if any value outside of this range is used, but in the CLI a value of 0 can be entered. Setting the maximum bandwidth to 0 provides unlimited bandwidth.

The guaranteed bandwidth ensures there's a consistent reserved bandwidth available for a given service or user. When setting the guaranteed bandwidth, ensure that the value is significantly less than the bandwidth capacity of the interface, otherwise no other traffic will pass through the interface or very little and potentially causing unwanted latency.

Traffic priority

Select a traffic priority of high, medium, or low, so the FortiGate manages the relative priorities of different types of traffic. For example, a policy for connecting to a secure web server that needs to support e-commerce traffic should be assigned a high traffic priority. Less important services should be assigned a low priority. The firewall provides bandwidth to low-priority connections only when bandwidth isn't needed for high-priority connections.

Be sure to enable traffic shaping on all security policies. If you don't apply a traffic shaping rule to a policy, the policy is set to high priority by default. Distribute security policies over all three priority queues.

Traffic shaping policy order

You must also place the traffic shaping policies in the correct order in the traffic shaping policy list page to get the desired results. It's necessary to arrange your traffic shaping policies into a sequence that places your more granular policies above general Internet access policies. For example, you should place any policies with application control shaping at the top of the traffic shaping policy list, followed by more general traffic shaping policies with shared policy shapers and per-IP traffic shapers.

The policy list page is located under Policy & Objects > Traffic Shaping Policy. To change the order of the policies, select the far left column to move the policy up or down. Make sure that the ID column is showing on your menu so you can easily verify a policy's position in the sequence.

For example, you can place a high priority VoIP traffic shaping policy at the top of the list, followed by restrictive policies that control streaming media, and your general Internet access policy last.

Traffic shaping policy configuration settings

To configure a traffic shaping policy, go to Policy & Objects > Traffic Shaping Policy and select Create New to create a new traffic shaping policy.

Policies are enabled by default. If you want to disable a traffic shaping policy, set Status to Disabled.

Set the If Traffic Matches section to the default options shown below or specify the criteria so that it matches a specific security policy.

Source all (default)
Destination all (default)
Service ALL (default)
Application Category Choose an application category to apply traffic shaping to a specific category of applications, such as P2P, Social.Media, or VoIP.
Application Choose an application to specify which applications you want to apply traffic shaping to, such as YouTube, Vimeo, or Facebook.
URL Category Choose a URL category to block a subset of applications. For example, you can block potentially liable websites, security risks, and bandwidth consuming services.

Set the options in the Then section to the following:

Outgoing Interface

any

Set this to the external interface that you want to apply traffic shaping to. For example, wan1 is often used.
Shared Shaper

This affects uploads or outbound traffic.

Choose one of the default shared traffic shapers: guarantee-100kbps, high-priority, medium-priority, low-priority, shared-1M-pipe, or create your own under Policy & Objects > Traffic Shapers. Shared traffic shapers share the allotted bandwidth with any security policies using them (unless they're set to per-policy in the CLI).

Reverse Shaper

This affects downloads or inbound traffic.

Choose one of the default shared traffic shapers: guarantee-100kbps, high-priority, medium-priority, low-priority, shared-1M-pipe, or create your own under Policy & Objects > Traffic Shapers.
Per-IP Shaper

Per-IP shapers affect downloads and uploads. Enable a per-IP traffic shaper if you want to apply traffic shaping by bandwidth management by user IP addresses.

You create traffic shapers under Policy & Objects > Traffic Shapers.

To create the traffic shaping policy – CLI:

config firewall shaping-policy

edit <shaping_policy_ID>

set srcaddr <source_address>

set dstaddr <destination_address>

set service <service_name>

set schedule {always | none}

application <application_name>

app-category <application_category_ID_list>

url-category <URL_category_ID_list>

dstintf <destination_interface_list>

traffic-shaper <shared_shaper_name>

traffic-shaper-reverse <reverse_traffic_shaper_name>

per-ip-shaper <per_IP_shaper_name>

end

VLAN, VDOM, and virtual interfaces

Policy-based traffic shaping doesn't use queues directly. It shapes the traffic and if the packet is allowed by the security policy, a priority is assigned. That priority controls what queue the packet is put in upon egress. VLANs, VDOMs, aggregate ports, and other virtual devices don't have queues and, as such, traffic is sent directly to the underlying physical device where it's queued and affected by the physical ports. This is also the case with IPsec connections.

Shared traffic shaper configuration settings

To configure a shared traffic shaper go to Policy & Objects > Traffic Shapers and select Create New to create a new traffic shaper.

Type Select Shared.
Name Enter a name for the traffic shaper.
Apply shaper When selecting a traffic shaper to be Per policy, the FortiGate applies the traffic shaping rules defined to each security policy individually. For example, if a traffic shaper is set to per policy, with a maximum bandwidth of 1000 Kbps, any security policies that have that traffic shaper enabled get 1000 Kbps of bandwidth each.

When selecting a traffic shaper to apply to all policies (All policies using this shaper), the FortiGate applies the traffic shaping rules to all policies using the same traffic shaper. For example, the traffic shaper is set to be per policy with a maximum bandwidth of 1000 Kbps. There are four security policies monitoring traffic through the FortiGate. All four have the traffic shaper enabled. Each security policy must share the defined 1000 Kbps, and is set on a first come, first served basis. For example, if policy 1 uses 800 Kbps, the remaining three must share 200 Kbps. As policy 1 uses less bandwidth, that open bandwidth becomes available to the other policies to use as required. Once used, any other policies encounter latency until free bandwidth opens from a policy currently in use.
Traffic Priority Select level of importance priority so the FortiGate manages the relative priorities of different types of traffic. For example, a policy for connecting to a secure web server needed to support e-commerce traffic should be assigned a high traffic priority. Less important services should be assigned a low priority.

If you don't apply a traffic shaping priority, the priority is set to High, by default.
Max Bandwidth The maximum bandwidth instructs the security policy what the largest amount of traffic allowed using the policy. Depending on the service or the users included for the security policy, this number provides a larger or smaller throughput depending on the priority you set for the traffic shaper.

Setting Max Bandwidth to 0 provides unlimited bandwidth.
Guaranteed Bandwidth

The guaranteed bandwidth ensures that a consistent reserved bandwidth is available for a given service or user. Ensure that you set the bandwidth to a value that's significantly less than the bandwidth capacity of the interface. Otherwise, little to no traffic passes through the interface and potentially causes unwanted latency.

Setting Guaranteed Bandwidth to 0 provides unlimited bandwidth.
DSCP Enter the number for the DSCP value. You can use the FortiGate Differentiated Services feature to change the DSCP (Differentiated Services Code Point) value for all packets accepted by a policy. The network can use these DSCP values to classify, mark, shape, and police traffic, and to perform intelligent queuing. DSCP features are applied to traffic by configuring the routers on your network to apply different service levels to packets depending on the DSCP value of the packet. For more information, see Traffic shaping methods.

Shared traffic shaper per policy example

The following steps create a per policy traffic shaper called “Throughput” with a maximum traffic amount of 720,000 Kbps, and a guaranteed traffic of 150,000 Kbps with a high traffic priority.

To create the shared traffic shaper – GUI:
  1. Go to Policy & Objects > Traffic Shapers and select Create New.
  2. Set the Type to Shared.
  3. Enter the Name Throughput.
  4. Set the Apply shaper field to Per policy.
note icon

By default, shared traffic shapers apply traffic shaping evenly to all policies that use it. For Per policy and All policies using this shaper options to appear in the GUI, you must first enable it in the CLI. Go to Policy & Objects > Traffic Shapers and right-click on the traffic shaper to edit it in the CLI. Enter the following CLI commands:

set per-policy enable

end
  1. Set the Traffic Priority to High.
  2. Enable Max Bandwidth and enter the value 150000.
  3. Enable Guaranteed Bandwidth and enter the value 120000.
  4. Select OK.
To create the shared traffic shaper – CLI:

config firewall shaper traffic-shaper

edit Throughput

set per-policy enable

set maximum-bandwidth 150000

set guaranteed-bandwidth 120000

set priority high

end

Per-IP traffic shaping

Traffic shaping by IP allows you to apply traffic shaping to all source IP addresses in the security policy. In addition to controlling the maximum bandwidth users of a selected policy, you can also define the maximum number of concurrent sessions.

Per-IP traffic shaping allows you to limit the behavior of every member of a policy to avoid having one user use all of the available bandwidth. The bandwidth is shared equally within a group. Using a per-IP traffic shaper avoids having to create multiple policies for every user you want to apply a traffic shaper. Per-IP traffic shaping isn't supported over NP2 interfaces.

Per-IP traffic shaping configuration settings

To configure per-IP traffic shaping go to Policy & Objects > Traffic Shapers and select Create New.

Type Select Per-IP.
Name Enter a name for the per-IP traffic shaper.
Max Bandwidth The maximum bandwidth instructs the security policy what the largest amount of traffic allowed using the policy. Depending on the service or the users included for the security policy, this number can provide a larger or smaller throughput depending on the priority you set for the traffic shaper.

Setting Max Bandwidth to 0 (zero) provides unlimited bandwidth.
Max Concurrent Connections Enter the maximum allowed concurrent connections.
Forward DSCP
Reverse DSCP		 Enter the number for the DSCP value. You can use the FortiGate Differentiated Services feature to change the DSCP (Differentiated Services Code Point) value for all packets accepted by a policy. The network can use these DSCP values to classify, mark, shape, and police traffic, and to perform intelligent queuing. DSCP features are applied to traffic by configuring the routers on your network to apply different service levels to packets depending on the DSCP value of the packet. For more information, see Traffic shaping methods.

Example

The following steps create a per-IP traffic shaper called “Accounting” with a maximum traffic amount of 720,000 Kbps, and the number of concurrent sessions of 200.

To create the per-IP traffic shaper – GUI:
  1. Go to Policy & Objects > Traffic Shapers and select Create New.
  2. Set the Type to Per-IP.
  3. Enter the Name Accounting.
  4. Enable the Max Bandwidth and enter the value 720000.
  5. Enable the Max Concurrent Sessions and enter the value 200.
  6. Select OK.
To create the per-IP traffic shaper – CLI:

config firewall shaper per-ip-shaper

edit Accounting

set max100-bandwidth 720000

set max-concurrent-session 200

end

Adding a per-IP traffic shaper to a traffic shaping policy

Per-IP traffic shaping is supported by IPv6 security policies. You can add any per-IP traffic shaper to an IPv6 security policy in the CLI.

Policies are enabled by default. If you want to disable a traffic shaping policy, set Status to Disabled.

Example

The following steps show you how to add an existing per-IP traffic shaper to an IPv6 security policy. Make sure that you have already created a per-IP traffic shaper under Policy & Objects > Traffic Shapers.

To add a per-IP traffic shaper to an IPv6 security policy - GUI:
  1. Go to Policy & Objects > IPv6 Policy and select Create New to create an Internet access policy.
  2. Set the following:
Name Enter a descriptive name
Incoming Interface Internal
Outgoing Interface wan1
Source all
Destination Address all
Schedule always
Service ALL
Action ACCEPT
  1. Select OK.
  2. Go to Policy & Objects > Traffic Shaping Policy and Create New to create a new traffic shaping policy.
  3. To apply your traffic shaping policy to the security policy you created earlier set the If Traffic Matches to the following:
Source all
Destination all
Service ALL
Application Category -
Application -
URL Category -
  1. In the Then section, set the following:
Outgoing Interface

any

The outgoing interface should match the outgoing interface of the security policy you want to apply traffic shaping to.
Shared Shaper -
Reverse Shaper -
Per-IP Shaper Enable Per-IP Shaper and select your traffic shaper from the drop-down menu.
  1. Select OK.
  2. On the Traffic Shaping Policy page, move the per-IP traffic shaper to the top of the list by clicking on the far left column to drag and drop it.

 

There are two methods to configure traffic shaping in the CLI. You can add a per-IP traffic shaper directly to an IPv6 security policy, or you can add a per-IP shaper to a traffic shaping policy. The second method will allow you to apply traffic shaping based on the interface and can therefore affect multiple security policies easily. The first method requires that you enable traffic shaping individually in all policies using the same two interfaces.

To add a per-IP traffic shaper to an IPv6 security policy – CLI:

config firewall policy6

edit <security_policy_ID_number>

set per-ip-shaper <per_IP_shaper_name>

end

To add a per-IP traffic shaper to an IPv6 traffic shaping policy – CLI:

config firewall shaping-policy

edit 1 <security_policy_ID_number>

set ip-version 6

set srcaddr <source_address>

set dstaddr <destination_address>

set service <service_name>

set dstintf <outgoing_interface>

set per-ip-shaper <per_IP_shaper_name>

end

Application control shaping

Traffic shaping is also possible for specific applications. Application control shaping works in conjunction with a shared traffic shaper or per-IP traffic shaper. You must create a traffic shaper with the bandwidth settings you would like to enforce or edit one of the predefined traffic shapers on the Traffic Shapers page.

Traffic shaping policies allow you to enable these traffic shapers and configure application control options. In the traffic shaping policy, you can set an Application Category, Application, and URL Category. You must also specify which security policies to apply your traffic shaper to by setting the options in the If Traffic Matches section.You create a traffic shaping policy in the Policy & Objects > Traffic Shaping Policy section.

note icon

For application control shaping to work, application control must be enabled in a security policy, through Policy & Objects > IPv4 Policy or Policy & Objects > IPv6 Policy in the Security Profiles section.

Also, application control traffic shaping affects only applications that are set to pass in Security Profiles > Application Control.

Policies are enabled by default. If you want to disable a traffic shaping policy, set Status to Disabled.

Example

This example sets the traffic shaping definition for Facebook to medium priority, which is a default traffic shaper.

To add traffic shaping for Facebook – GUI:
  1. Go to Policy & Objects > IPv4 Policy to create a general Internet access security policy.
  2. Select Create New to create a new security policy (or edit an existing Internet access policy).
  3. Set the following to enable application control within a security policy:
Name Enter a descriptive name.
Incoming Interface Internal
Outgoing Interface wan1
Source all
Destination all
Schedule always
Service ALL
Action ACCEPT
Application Control In the Security Profiles section, enable Application Control and select the default application control profile.
  1. Select OK.
  2. Go to Policy & Objects > Traffic Shaping Policy and select Create New to create a new traffic shaping policy.
  3. To apply your traffic shaping policy to the security policy you created earlier, set the If Traffic Matches to the following:
Source all
Destination all
Service ALL
Application Category Social.Media
Application Facebook
URL Category Social Networking
  1. In the Then section, set the following:
Outgoing Interface

any

The outgoing interface should match the outgoing interface of the security policy you want to apply shaping to.
Shared Shaper Enable Shared Shaper and select medium-priority from the drop-down menu.
Reverse Shaper Enable Shared Shaper and select medium-priority from the drop-down menu.
  1. Select OK.
  2. On the Traffic Shaping Policy page, move the Facebook traffic shaping policy to the top of the list by clicking on the far left column to drag and drop it.
To create a traffic shaping policy for Facebook – CLI:

config firewall shaping-policy

edit 1 <shaping_policy_ID_number>

set srcaddr all

set dstaddr all

set service ALL

set application 15832

set app-category 23 <Social.Media>

set url-category 37 <Social Networking>

set dstintf wan1 <outgoing_interface>

set traffic-shaper medium-priority

set reverse-traffic-shaper medium-priority

end

Reverse direction traffic shaping

The traffic shaper you select in the traffic shaping policy (shared traffic shaper) affects the traffic in the direction defined in the policy. For example, if the source port is lan and the destination is wan1, the traffic shaping affects the flow in this direction only — affecting the upload speed of the outbound traffic. You can define the traffic shaper for the policy in the opposite direction to affect the download speed of the inbound traffic. In this example, from wan 1 to lan.

To add a reverse shaper – GUI:
  1. Go to Policy & Objects > Traffic Shaping Policy.
  2. Select Create New or select an existing policy and click Edit.
  3. Set the If Traffic Matches to match the interfaces of any security policies you want to affect.
  4. Navigate to the Then section, enable the Shared Shaper, and select a traffic shaper from the drop-down menu.
  5. Enable the Reverse Shaper and select a traffic shaper from the drop-down menu.
  6. Select OK.

Setting the reverse direction only

There may be instances where you only need traffic shaping for incoming connections, which is in the reverse direction of typical traffic shapers.

To add a reverse traffic shaper – GUI:
  1. Go to Policy & Objects > Traffic Shaping Policy.
  2. Click Create New or select an existing policy and click Edit.
  3. Set the If Traffic Matches to match the interfaces of any security policies you want to affect.
  4. Navigate to the Then section, enable the Reverse Shaper and select a traffic shaper from the drop-down menu.
  5. Select OK.
To configure a reverse-only traffic shaper in a traffic shaping policy – CLI:

config firewall shaping-policy

edit <policy_number>

set reverse-traffic-shaper medium-priority

end

To configure a reverse-only shaper within a security policy – CLI:

config firewall policy

edit <policy_number>

...

set traffic-shaper-reverse <shaper_name>

end

Enabling traffic shaping in the security policy

Historically, FortiOS traffic shapers have always been enabled within a security policy. This is no longer the easiest way to apply traffic shapers, since in FortiOS 5.4 traffic shaping is now configured in the traffic shaping policy section, under Policy & Objects > Traffic Shaping Policy. However, you can still enable traffic shapers within a security policy using CLI commands and it will then appear in the GUI afterwards. The traffic shapers always go into effect after any DoS detection policies, and before any routing or packet scanning occurs.

Traffic shaping is also supported for IPv6 policies.

note icon This isn't the recommended method, as it's easier to keep track of and order your traffic shaping policies if you configure them within a traffic shaping policy.
To enable traffic shaping within a security policy – CLI:

config firewall policy

edit <policy_number>

...

set traffic-shaper <traffic_shaper_name>

set reverse-traffic-shaper <traffic_shaper_name>

set per-ip-shaper <per_IP_traffic_shaper_name>

end

 

Shared traffic shapers affect outbound traffic heading to a destination. To affect inbound traffic, or downloads, enable the Reverse Shaper also. For more information, see Reverse direction traffic shaping.

Scheduling traffic shaping policies

You can apply different traffic shaping profiles at different times. This "schedule" attribute is available in the CLI, and you can use this feature to apply a recurring schedule to your traffic shaping policies. The default recurring schedule options available are always or none. You can also create new schedules or schedule groups under Policy & Objects > Schedules. This allows you to create custom recurring or one-time schedules that can then be applied to your traffic shaping policies using the CLI commands below.

To schedule traffic shaping policies – CLI:

config firewall shaping-policy

edit <shaping_policy_ID>

set schedule {always | none}

end

ToS priority

Type of service (ToS) is an 8-bit field in the IP header that allows you to determine how the IP datagram should be delivered, using criteria of delay, throughput, priority, reliability, and cost. Each quality helps gateways determine the best way to route datagrams. A router maintains a ToS value for each route in its routing table. The lowest priority ToS is 0, and the highest is 7 when bits 3, 4, and 5 are all set to 1. There are other seldom used or reserved bits that aren't listed here.

Together these bits are the ToS variable of the tos‑based-priority command. The router tries to match the ToS of the datagram to the ToS on one of the possible routes to the destination. If there's no match, the datagram is sent over a zero ToS route. Using increased quality may increase the cost of delivery because better performance may consume limited network resources.

Each bit represents the priority as defined in RFC 1349:

  • 1000 - minimize delay
  • 0100 - maximize throughput
  • 0010 - maximize reliability
  • 0001 - minimize monetary cost
To set the ToS value – CLI:

config system tos-based-priority

edit <sequence_number>

set tos [0-15]

set priority {high | medium | low}

end

 

Where tos is the value of the type of service bit in the IP datagram header with a value between 0 and 15, and priority is the priority of this type of service priority. These priority levels conform to the firewall traffic shaping priorities, as defined in RFC 1349.

For example, if you want to configure a FortiGate so that reliability is the first priority, set the ToS value to 4.

config system tos-based-priority

edit 1

set tos 4

set priority high

end

 

For a list of ToS values and their DSCP equivalents, see Traffic mapping.

Example

config system tos-based-priority

edit 1

set tos 1

set priority low

next

edit 4

set tos 4

set priority medium

next

edit 6

set tos 6

set priority high

next

end

ToS in FortiOS

Traffic shaping and ToS follow the following sequence:

  • The CLI command tos-based-priority acts as a tos-to-priority mapping. FortiOS maps the ToS to a priority when it receives a packet.
  • Traffic shaping settings adjust a packet’s priority according to the traffic.
  • Deliver the packet based on its priority.

Traffic shaping units of measurement

Bandwidth speeds are measured in kilobits per second (Kbps), and bytes that are sent and received are measured in megabytes (MB). Occasionally this can cause confusion depending on whether your ISP uses kilobits per second (Kbps), kilobytes per second (KBps), megabits per second (Mbps), or gigabits per second (Gbps).

Download speeds

  • 1 kilobyte per second (KBps) = 8 kilobits per second (Kbps)
  • 1 megabit per second (Mbps) = 1,000,000 bits per second (bps)
  • 1 gigabit per second (Gbps) = 1,000 megabits per second (Mbps)

File sizes

  • 1 megabyte (MB) = 1,024 kilobytes (KB)
  • 1 gigabyte (GB) = 1,024 megabytes (MB) or 1,048,576 kilobytes (KB)
To change a traffic shaper's unit of measurement - CLI:

config firewall shaper traffic-shaper

edit <traffic_shaper_name>

set bandwidth-unit {kbps | mbps | gbps}

end

Interface-based traffic shaping

You can enable traffic shaping on an interface. This allows you to enforce bandwidth limits for individual interfaces, by percentage. To configure interface-based traffic shaping, you must classify traffic in a traffic shaping policy, assign bandwidth percentages in a traffic shaping profile, and apply the traffic shaping profile as the egress traffic shaper on an interface.

note icon Currently, only egress traffic shaping is available. To achieve ingress traffic shaping, you can typically configure egress traffic shaping on the alternate interface. For example, if you want to control inbound traffic on the WAN interface of the FortiGate, you can apply outbound traffic shaping to the LAN interface.

Classifying traffic

You can use a traffic shaping policy to classify traffic. Edit a traffic shaping policy using the config firewall shaping-policy command, and set the class-id command. A FortiGate stores the class-id on the kernel session, so that it can quickly categorize any traffic that matches the criteria you define in the traffic shaping policy.

To set the traffic class – CLI:

config firewall shaping-policy

edit <shaping_policy_ID>

...

set class-id <value>

next

end

 

where class-id is a value in the range of 2 to 31.

Assigning bandwidth percentages

You can assign bandwidth percentages, using the config firewall shaping-profile command. Set a bandwidth guarantee using the guaranteed-bandwidth-percentage command and set a maximum bandwidth using the maximum-bandwidth-percentage.

To assign bandwidth percentages in a traffic shaping profile – CLI:

config firewall shaping-profile

edit <egress_shaper_name>

set default-class-id 2

config shaping-entries

edit 1

set class-id 2

set priority low {low | medium | high}

set guaranteed-bandwidth-percentage 3

set maximum-bandwidth-percentage 50

next

edit 3

set class-id 5

set priority low {low | medium | high}

set guaranteed-bandwidth-percentage 3

set maximum-bandwidth-percentage 50

next

end

end

 

where you set the following variables:

Variable Description
default-class-id

The default class ID handles unclassified packets, including all local traffic. You must define the default class ID, since unclassified traffic must be controlled.

Note that any traffic class that's defined in the traffic shaping policy, but isn't defined in the traffic shaping profile, is classified as part of the default class ID.
class-id The class-id is a value in the range of 2 to 31.
priority The priority assigned (low, medium, high) to the class also plays a critical role in the bandwidth algorithm. Basically, priority decides which class can win when multiple classes compete for the available bandwidth on the interface.
guaranteed-bandwidth-percentage

The guaranteed-bandwidth-percentage is a value in the range of 0 to 100 percent. The guaranteed bandwidth reserves a set amount of bandwidth for the class of traffic you select.

For example, if you set the guaranteed-bandwidth-percentage to 3, then the FortiGate assigns at least 3% of the total bandwidth on the interface to that traffic class (as long as the current traffic volume of this class is more than 3% of the total volume). If the current traffic volume of this class is less than 3% of the total bandwidth of the interface, then it's not shaped.
maximum-bandwidth-percentage

The maximum-bandwidth-percentage is a value in the range of 0 to 100 percent. The maximum bandwidth defines the hard limit for traffic in that class. The class never has more bandwidth than the amount of bandwidth you define. You can assign 100% as the value, so that the class can potentially take all of the bandwidth of the designated interface.

 

note icon

Important requirements:

  • The guaranteed-bandwidth-percentage of the default class (in this example, class-id 2) must be greater than or equal to 1%. This ensures that local traffic always has some guaranteed bandwidth. However, the guaranteed-bandwidth-percentage of other classes can be 0.
  • The guaranteed-bandwidth-percentage must not exceed the value of the maximum-bandwidth-percentage.
  • The sum of guaranteed-bandwidth-percentage of all entries in one profile must not exceed 100%.

Apply the traffic shaping profile

You can apply the egress traffic shaper to an interface, using the config system interface command to edit the interface of your choice. Then, set the inbandwidth and outbandwidth values to the total amount of bandwidth that's available on the interface. Set the egress-shaping-profile to the traffic shaping profile you want to apply.

To apply the egress shaper to an interface – CLI:

config system interface

edit <interface-name>

set inbandwidth <limit>

set outbandwidth <limit>

set egress-shaping-profile <egress_shaper_name>

next

end

 

where the inbandwidth and outbandwidth value is the total amount of bandwidth that's available on the interface, from a value in the range of 0 to 1677600 kbps.

You should set the egress-shaping-profile value to the traffic shaping profile you want to apply.

Example of competing priority classes

The following example can help you understand how the bandwidth algorithm uses both the class ID, and priority settings to determine which class wins when there are competing traffic classes. These examples are based on the assumption that the traffic volume of each class is larger than its allocated bandwidth.

note icon

If a class has a small traffic volume, other classes can borrow unused bandwidth from it. In the following example, if class 2 has 100 MB of traffic and class 3 has 1 GB of traffic, then you should set the bandwidth for class 2 to 100 MB and for class 3 to 900 MB.
Class Priority guaranteed-bandwidth-percentage (%) maximum-bandwidth-percentage (%)
2 high 20% 100%
3 low 20% 100%

If the profile configuration matches the table above, and the profile is applied to an egress interface with a total bandwidth of 1 GB, and both class 2 and class 3 have 1 GB of generated traffic, the results are the following:

Class Priority Actual bandwidth
2 high 80% of 1 GB (800 MB)
3 low 20% of 1 GB (200 MB)

The reason for the results are that both class 2 and 3 are assigned guaranteed bandwidth first, which is 200 MB each (20% of 1 GB). The remaining bandwidth of 600 MB is then allocated to class 2, because it has a higher priority.

The algorithm can get a bit more complex when you assign multiple classes with the same priority. When the same priority classes compete for available bandwidth, the allocation to each class is proportional to its guaranteed-bandwidth-percentage.

Here's a slightly more complex example:

Class Priority guaranteed-bandwidth-percentage (%) maximum-bandwidth-percentage (%)
2 high 20% 100%
3 low 20% 100%
4 high 30% 100%

If the profile configuration matches the table above, and is attached to an egress interface with a total bandwidth of 1 GB, and classes 2, 3, and 4 have 1 GB of traffic generated, the results are the following:

Class Priority Actual bandwidth
2 high 200MB + 120MB = 320MB
3 low 200MB + 0 = 200MB
4 high 300MB + 180MB = 480MB

The reason for the results are that all classes are assigned the guaranteed bandwidth first, which is 200 MB, 200 MB, and 300 MB respectively. The remaining bandwidth of 300 MB is then allocated to class 2 and class 4, because of their higher priority settings. The allocation for the remaining 300MB is proportional to their guaranteed bandwidth. In this case, it is 120 MB for class 2 (300 MB * 20 / 50) and 180MB for class 4 (300 MB * 30 / 50).

Internet services support

The Internet Service Database (ISDB) and IP Reputation Database (IRDB) enhance traffic shaping criteria for traffic shaping policies.

To use Internet services in a traffic shaping policy, you must set the Source or Destination to one or more of the Internet services listed in the Internet Service tab.

To create a traffic shaping policy that uses Internet services – GUI:
  1. Create a new traffic shaping policy under Policy & Objects > Traffic Shaping Policy.
  2. Add the Internet Service of your choice to the Source and Destination by selecting from the Internet Service tab on the far right.
  3. Set the Outgoing Interface to the egress port that traffic passes through.
To create a traffic shaping policy that uses Internet services – CLI:

config firewall shaping-policy

edit <shaping_policy_ID>

set internet-service {enable | disable}

set internet-service-id <service_ID>

set internet-service-custom <custom_Internet_service_name>

set internet-service-src {enable | disable}

set internet-service-src-id <Internet_service_source_ID>

set internet-service-src-custom <custom_Internet_service_source_name>

next

end

 

where you set the following variables:

Option Description
internet-service Enables or disables the use of Internet services for this policy. If enabled, the FortiGate uses the Internet service destination address and service.
internet-service-id

The Internet service ID. For example:

  • 65536 Google-Others
  • 65537 Google-Web
internet-service-custom Enter a custom Internet service name.
internet-service-src Enables or disables the use of Internet services in source for this policy. If enabled, the FortiGate uses the Internet Services source address.
internet-service-src-id

The Internet service source ID. For example:

  • 65536 Google-Others
  • 65537 Google-Web
internet-service-src-custom

The custom Internet service source name.

NOTE: This custom name must already be configured.