Edit

Traffic Shaping

Traffic Shapers

  • Fortigate offers three different traffic shaping methods:

    • Shared policy shaping

    • Per-IP shaping

    • Interface-based shaping

  • Define Shaper: Policy & Objects > Object Configuration > Traffic Shapers

  • Apply to Policy: Policy & Objects > Policy Packages > Traffic Shaping Policy

    • Apply Shaper: Perform traffic shaping based on selected shaper

    • Apply Group: Assign matching traffic a traffic shaping class ID

  • Traffic flow has an associated bucket with the size of configured bandwidth limit. Tokens are added to a bucket at a fixed configured rate, up to the capacity of the bucket. Excess tokens are discarded

  • The guaranteed bandwidth feature attempts to achieve or exceed the rate, rather than limit it. Fortigate does not discard non-conforming packets like it does for maximum bandwidth. Instead, when the flow does not achieve the rate, Fortigate increases the packet priority queue in an effort to increase the rate.

  • By design, traffic shaping configured in a firewall policy, application list, or traffic shaper policy, uses an initial burst approach. This means that during transitions from no traffic to having traffic, for the first second of the transition, the rate can be up to two times the configured rate. Then, after the first second of the transition, the rate reduces to the configured rate, and should stay there.

Shared Traffic Shaper

  • Reserve guarantee and maximum bandwidth: packets are dropped if maximum bandwidth is exceeded

  • For all policies using this shaper: bandwidth limits shared among all matching shaping policies

  • Per policy: Bandwidth limits apply to each matching shaping policy

Per-IP Traffic Shaper

  • Apply shaper settings on all source IP addresses that match the shaping policy

  • Can optionally configure concurrent sessions allowed per IP address

Application Control Shaping

  • Performs traffic shaping on applications, application categories, and URL categories

  • Requires application control on matching firewall policy

    • If using URL category shaping, web filtering must also be enabled

  • Policy & Objects > Policy Packages > Firewall Policy

  • Policy & Objects > Policy Packages > Traffic Shaping Policy

Reverse Direction Shaping

  • Reverse direction shaper is needed to shape any reply traffic

  • Per-IP shapers apply the speed limit on both directions of the traffic

  • Shared shapers affect original traffic only

  • Policy & Objects > Policy Packages > Traffic Shaping Policy

Interface-based Traffic Shaping

  • Traffic shaping policy can be used for interface-based traffic shaping by organizing traffic into groups

  • Shaping profiles define the percentage of the interface bandwidth that is allocated to each group

  • Based on this, each group is shaped to the assigned speed configured on the interface

  • Assigning a priority (High, Medium, Low) to each class plays a critical role in assigning bandwidth because the priority determins which class takes precedence when multiple classes are competing for available bandwidth

  • Define Shaping Profile: Policy & Objects > Object Configuration > Shaping Profile

  • Apply to interface: Device Manager > Device & Groups > Managed Fortigate > System > Interfaces

Troubleshooting

  • diagnose firewall shaper traffic-shaper list name <$ShaperName>: view information for the shared traffic shaper

  • diagnose firewall shaper per-ip-shaper list: view information for the per-IP shaper

  • diagnose netlink interface list <$interface>: check speed limit for each class ID on an interface

Reference

  • https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-and-monitor-Per-IP-Shaper/ta-p/211405

  • https://community.fortinet.com/t5/FortiGate/Technical-Tip-Limit-connections-to-a-specific-destination-IP/ta-p/244968

PreviousSessionsNextHPE - Aruba

Last updated