Examples
While it is possible to configure QoS using a combination of security policies and ToS based priorities, and to distribute traffic over all six of the possible queues for each physical interface, the results of those configurations can be more difficult to analyze due to their complexity. In those cases, prioritization behavior can vary by several factors, including traffic volume, type of service (ToS) or differentiated services (DiffServ) markings, and correlation of session to a security policy.
The following simple examples illustrate QoS configurations using either prioritization by security policy, or prioritization by ToS bit, but not both. The examples also assume you are not configuring traffic shaping for interfaces that receive hardware acceleration from network processing units (NPU).
QoS using priority from security policies
Configurations implementing QoS using the priority values defined in the security policies are capable of applying bandwidth limits and guarantees.
In addition to configuring traffic shaping, you may also choose to limit the bandwidth accepted by each interface. This can be useful in scenarios where the bandwidth received on source interfaces frequently exceeds the maximum bandwidth limit defined in the security policy. Rather than waste processing power on packets that will get dropped later in the process, you may choose to preemptively police the traffic.
If you decide to implement QoS using security policies rather than ToS bit, the FortiGate applies QoS to all packets controlled by the policy. This type of control is less granular than prioritization by ToS bit, but has the benefits of correlating quality of service to a security policy. This correlation enables you to distribute traffic over up to four of the possible 6 priority queues (queue 0 to queue 3), doesn't require other devices in your network to set or respect the ToS bit, and enables you to configure bandwidth limits and guarantees.
In the following example, we limit the bandwidth accepted by each source interface, limit the bandwidth used by sessions controlled by the security policy, and then configure prioritized queuing on the destination interface based upon the priority in the security policy, subject to alternative assignment to queue 0 when necessary to achieve the guaranteed packet rate.
To limit bandwidth accepted by an interface – CLI:
config system interface
edit <interface_name>
set inbandwidth <limit>
next
end
where <rate_int>
is the bandwidth limit in Kbps. Excess packets are dropped.
To configure bandwidth guarantees, limits, and priorities – GUI:
- Go to Policy & Objects > Traffic Shapers and select Create New.
- Select Shared or Per-IP.
- Enter a name for the traffic shaper.
- Select the Traffic Priority.
High has a priority value of 1, Medium is 2, and Low is 3. While the current packet rate is below Guaranteed Bandwidth, the FortiGate disregards this setting, and instead uses priority queue. - Enable Max Bandwidth and enter a value.
Packets greater than this rate are discarded. - Enable Guaranteed Bandwidth and enter a value, if any.
Bandwidth guarantees affect prioritization. While packet rates are less than this rate, they use priority queue 0. If this isn't the effect you intend, consider entering a small guaranteed rate, or enter 0 to effectively disable bandwidth guarantees. - Enable DSCP and set a value.
- Select OK.
Per-IP shapers also include the option to set a maximum number of concurrent connections and to set both Forward DSCP and Reverse DSCP. |
Sample configuration
This sample configuration limits ingressing bandwidth to 500 Kbps. It also applies separate traffic shapers to FTP and HTTP traffic. In addition to the interface bandwidth limit, HTTP traffic is subject to a security policy bandwidth limit of 200 Kbps.
All egressing FTP traffic greater than 10 Kbps is subject to a low priority queue (queue 3), while all egressing HTTP traffic greater than 100 Kbps is subject to a medium priority queue (queue 2). That is, unless FTP traffic rates are lower than their guaranteed rate, and web traffic rates are greater than their guaranteed rate, FTP traffic is lower priority than web traffic.
Traffic less than these guaranteed bandwidth rates use the highest priority queue (queue 0).
To set the inbandwidth limits – CLI:
This setting is only available in the CLI.
config system interface
edit wan1
set inbandwidth 500
next
end
Create traffic shapers for FTP and HTTP.
To configure an FTP shaper – GUI:
- Go to Policy & Objects > Traffic Shapers, and select Create New.
- Select Shared.
- Enter
FTP
for the name of the traffic shaper. - Set Traffic Priority to Low.
- Select the Max Bandwidth checkbox and enter
500
Kbps. - Select the Guaranteed Bandwidth checkbox and enter
10
Kbps. - Select OK.
- Select the FTP traffic shaper, right-click it, and select Edit in CLI. Type the following command:
set per-policy
end
To configure an HTTP shaper – GUI:
- Select Create New.
- Set Type to Shared.
- Enter
HTTP
for the name of the traffic shaper. - Set Traffic Priority to Medium.
- Select the Max Bandwidth checkbox and enter
200
Kbps. - Select the Guaranteed Bandwidth checkbox and enter
100
Kbps. - Select OK.
- Select the HTTP traffic shaper, right-click it, and select Edit in CLI. Type the following command:
set per-policy
end
To add the FTP shaper to a traffic shaping policy – GUI:
- Go to Policy & Objects > Traffic Shaping Policy and select Create New to create a traffic shaping policy for FTP.
- Set the If Traffic Matches to the following:
Source | all |
Destination | all |
Service | FTP |
- In the Then section, set the following:
Outgoing Interface |
any The outgoing interface should match the outgoing interface of the security policy you want to apply shaping to. |
Shared Shaper | Enable Shared Shaper and select FTP from the drop-down menu. |
Reverse Shaper | Enable Shared Shaper and select FTP from the drop-down menu. |
- Select OK.
To add the HTTP shaper to a traffic shaping policy – GUI:
- Go to Policy & Objects > Traffic Shaping Policy and click Create New to create a traffic shaping policy for HTTP.
- Set the options in the If Traffic Matches section to the following:
Source | all |
Destination | all |
Service | HTTP |
- In the Then section, set the following:
Outgoing Interface | any The outgoing interface should match the outgoing interface of the security policy you want to apply traffic shaping to. |
Shared Shaper | Enable Shared Shaper and select HTTP from the drop-down menu. |
Reverse Shaper | Enable Shared Shaper and select HTTP from the drop-down menu. |
- Select OK.
- On the policy list page, move the FTP traffic shaping policy to the top of the list by clicking the far left column to drag and drop it. The HTTP traffic shaping policy should be below the FTP policy, and more general Internet access policies should be at the bottom of the policy list.
To configure the FTP and HTTP traffic shapers – CLI:
config firewall shaper traffic-shaper
edit FTP
set maximum-bandwidth 500
set guaranteed-bandwidth 10
set per-policy enable
set priority low
next
edit HTTP
set maximum-bandwidth 200
set guaranteed-bandwidth 100
set per-policy enable
set priority medium
end
To add each traffic shaper to a traffic shaping policy – CLI:
config firewall shaping-policy
edit 1 <shaping_policy_ID_number>
set srcaddr all
set dstaddr all
set service ALL
set dstintf wan1 <outgoing_interface>
set traffic-shaper FTP
next
edit 2 <shaping_policy_ID_number>
set srcaddr all
set dstaddr all
set service ALL
set dstintf wan1 <outgoing_interface>
set traffic-shaper HTTP
next
move 1 before 2
end
QoS using priority from ToS or DiffServ
Configurations implementing QoS using the priority values defined in either global or specific ToS bit values are not capable of applying bandwidth limits and guarantees, but are capable of prioritizing traffic at per-packet levels, rather than uniformly to all services matched by the security policy.
In addition to configuring traffic prioritization, you may also choose to limit bandwidth that's received by each interface. This can sometimes be useful in scenarios where you want to limit traffic levels, but don't want to configure traffic shaping within a security policy. This has the benefit of policing traffic at a point before the FortiGate performs most processing.
Note that if you implement QoS using ToS octet rather than security policies, the FortiGate applies QoS on a packet-by-packet basis, and priorities may be different for packets and services controlled by the same security policy. This is more granular control than prioritization by security policies, but has the drawbacks that quality of service may not be uniform for multiple services controlled by the same security policy, packets only use up to three of the six possible queues (queue 0 to queue 2), and bandwidth can't be guaranteed. Other devices in your network must also be able to set or preserve ToS bits.
In this example, we limit the bandwidth accepted by each source interface, and then configure prioritized queuing on the destination interface based upon the value of the ToS bit located in the IP header of each accepted packet.
To limit bandwidth accepted by an interface – CLI:
config system interface
edit <interface_name>
set inbandwidth <limit>
next
end
where <limit>
is the bandwidth limit in Kbps. Excess packets are dropped.
To configure the global priority value – CLI:
config system global
set tos-based-priority {high | low | medium}
end
where high
has a priority value of 0 and low
is 2.
If you want to prioritize some ToS bit values differently than the global ToS-based priority, configure the priority for packets with that ToS bit value using the following commands:
config system tos-based-priority
edit <id_int>
set tos [0-15]
set priority {high | low | medium}
next
end
where and tos
is the value of the ToS bit in the packet’s IP header, and high
has a priority value of 0 and low
is 2. Priority values configured in this location will override the global ToS-based priority.
Sample configuration
This sample configuration limits ingressing bandwidth to 500 Kbps. It also queues egressing traffic based upon the ToS bit in the IP header of ingressing packets.
Unless specified for the packet’s ToS bit value, packets use the low priority queue (queue 2). For ToS bit values 4 and 15, the priorities are specified as medium (value 1) and high (value 0), respectively.
config system interface
edit wan1
set inbandwidth 500
next
end
config system global
set tos-based-priority low
end
config system tos-based-priority
edit 4
set tos 4
set priority medium
next
edit 15
set tos 15
set priority high
next
end
Example setup for VoIP
In this example, there are three traffic shaping requirements for a network:
- Voice over IP (VoIP) requires a guaranteed, high-priority for bandwidth for telephone communications.
- FTP bursts must be contained so it doesn't consume any available bandwidth. As such, this traffic needs to be throttled to a smaller amount.
- A consistent bandwidth requirement is needed for all other email and web-based traffic.
To enable this requirement, you need to create three separate traffic shapers and three traffic shaping policies for each traffic type.
In this example, the values used aren't recommended values.
Creating the traffic shapers
First create the traffic shapers that define the maximum and guaranteed bandwidth. The shared traffic shapers are used with some applied per-policy and some applied to all policies, to better control traffic.
VoIP shaper
The VoIP functionality is a key component to the business as a communication tool and as such requires a guaranteed bandwidth. This traffic shaper is a high priority traffic shaper.
To create a VoIP shaper – GUI:
- Go to Policy & Objects > Traffic Shapers and select Create New.
- Set the Type to Shared.
- Enter the Name
voip
. - Set the Traffic Priority to High.
- Select Max Bandwidth and enter
1000
Kbps. - Select Guaranteed Bandwidth and enter
800
Kbps. - Select OK.
- Select the HTTP shaper, right-click it, and select Edit in CLI. Type the following command:
set per-policy
end
To create a VoIP shaper – CLI:
config firewall shaper traffic-shaper
edit voip
set maximum-bandwidth 1000
set guaranteed-bandwidth 800
set per-policy enable
set priority high
end
Setting the traffic shaper to per-policy ensures that regardless of the number of policies that use this traffic shaper, the defined bandwidth is always the same. At the same time, the bandwidth is continually guaranteed at 800 Kbps but, if available, can be as much as 1000 Kbps. Setting the priority to high ensures that the FortiGate considers VoIP traffic the most important.
FTP traffic shaper
The FTP traffic shaper sets the maximum bandwidth to use to avoid sudden spikes by sudden uploading or downloading of large files, and interfering with other more important traffic.
To create a FTP shaper – GUI:
- Go to Policy & Objects > Traffic Shapers and Create New.
- Set the Type to Shared.
- Enter the Name
ftp
. - Set the Traffic Priority to Low.
- Select Max Bandwidth and enter
200
Kbps - Select Guaranteed Bandwidth and enter
200
Kbps. - Select OK.
To create a FTP shaper - CLI:
config firewall shaper traffic-shaper
edit ftp
set maximum-bandwidth 200
set guaranteed-bandwidth 200
set priority low
end
For this traffic shaper, the maximum and guaranteed bandwidth are set to a low value and to the same value. In this case, the bandwidth is restricted to a specific amount. Setting the traffic priority to a low value ensures that more important traffic passes before FTP traffic.
Regular traffic shaper
The regular traffic shaper sets the maximum bandwidth and guaranteed bandwidth for everyday business traffic such as web and email traffic.
To create a regular traffic shaper – GUI:
- Go to Policy & Objects > Traffic Shapers and Create New.
- Set the Type to Shared.
- Enter the Name
daily_traffic
.. - Set the Traffic Priority to Medium.
- Select Max Bandwidth and enter
600
Kbps - Select Guaranteed Bandwidth and enter
600
Kbps. - Select OK.
To create a regular traffic shaper – CLI:
config firewall shaper traffic-shaper
edit daily_traffic
set maximum-bandwidth 600
set guaranteed-bandwidth 600
set per-policy enable
set priority medium
end
For this traffic shaper, the maximum and guaranteed bandwidth are set to a moderate value of 600 Kbps. It's also set per policy, which ensures each security policy for day-to-day business traffic has the same distribution of bandwidth.
Creating traffic shaping policies
To employ the traffic shapers,create traffic shaping policies that apply to your existing security policy. Create a separate policy for each service and apply the traffic shaper to the outgoing interface you want to use. For example, a policy for FTP traffic, a policy for SIP, and so on.
For the following steps, the VoIP traffic shaper is enabled as well as the reverse direction. This ensures that return traffic for a VoIP call has the same guaranteed bandwidth as the outgoing call. The example below shows how to enable each traffic shaper in a traffic shaping policy.
In this example, the traffic shaping policies will apply traffic shaping to the following security policy:
Incoming Interface | lan (Internal interface) |
Outgoing Interface | WAN1 |
Source | alll |
Destination | all |
Schedule | always |
Service | ALL |
Action | ACCEPT |
To create a VOIP traffic shaping policy – GUI:
- Go to Policy & Objects > Traffic Shaping Policy and select Create New.
- Now create a traffic shaping policy that matches the settings you entered for the security policy:
Source | all |
Destination | all |
Service | ALL |
Application Category | VoIP |
Application | SIP |
URL Category | Internet Telephony |
Outgoing Interface | wan1 |
- Enable Shared Shaper, select the VoIP traffic shaper that you created in the previous steps.
- Enable Reverse Shaper, select the VoIP traffic shaper that you created in the previous steps.
- Select OK.
To create a VOIP traffic shaping policy – CLI:
config firewall shaping-policy
edit 1 <shaping_policy_ID_number>
set srcaddr all
set dstaddr all
set service ALL
set application 34640 <SIP>
set app-category 3 <VoIP>
set url-category 76 <Internet Telephony>
set dstintf wan1 <outgoing_interface>
set traffic-shaper voip <high_priority_custom_shaper>
set reverse-traffic-shaper voip <high_priority_custom_shaper>
end
To create an FTP traffic shaping policy – GUI:
- Go to Policy & Objects > Traffic Shaping Policy and select Create New.
- Now create a traffic shaping policy that matches the settings you entered for your security policy:
Source | all |
Destination | all |
Service | FTP |
Outgoing Interface | wan1 |
- Enable Shared Shaper, select the FTP shaper created in the previous steps.
- Enable Reverse Shaper, select the FTP shaper created in the previous steps.
- Select OK.
To create an FTP traffic shaping policy – CLI:
config firewall shaping-policy
edit 2 <shaping_policy_ID_number>
set srcaddr all
set dstaddr all
set service FTP
set dstintf wan1 <outgoing_interface>
set traffic-shaper FTP <low_priority_custom_shaper>
set reverse-traffic-shaper FTP <low_priority_custom_shaper>
end
To create a regular traffic shaping policy – GUI:
- Go to Policy & Objects > Traffic Shaping Policy and select Create New.
- Create a traffic shaping policy that matches the settings you entered for your security policy:
Source | all |
Destination | all |
Service | ALL |
Outgoing Interface | wan1 |
- Enable Shared Shaper, select the medium-priority shaper.
- Enable Reverse Shaper, select the medium-priority shaper.
- Select OK.
To create a regular traffic shaping policy – CLI:
config firewall shaping-policy
edit 3 <shaping_policy_ID_number>
set srcaddr all
set dstaddr all
set service ALL
set dstintf wan1 <outgoing_interface>
set traffic-shaper medium-priority <default_shaper>
set reverse-traffic-shaper medium-priority <default_shaper>
end
To order your traffic shaping policies – CLI:
config firewall shaping-policy
move 1 before 2
move 3 below 2
end
Ensure that your high priority SIP/VoIP policy is at the top of the policy list, the low priority FTP traffic shaper comes second, and the medium priority regular traffic shaper comes last. Restrictive policies should always go above more general access policies. |
Alternate method of enabling traffic shaping in the security policy
It's also possible to create three separate security policies for each type of traffic (VoIP, FTP, and regular). You can enable traffic shaping individually within each security policy in the CLI only, like the example shown below:
To enable traffic shaping in the security policy – CLI:
config firewall policy
edit 6
set srcintf <internal_interface>
set srcaddr all
set dstintf wan1
set dstaddr all
set action accept
set schedule always
set service sip
set traffic-shaper voip
set reverse-traffic-shaper voip
end