Hot!Traffic shaping recommendation v5.6

Author
ChrisJForti
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/05/29 07:51:35
  • Status: offline
2018/05/29 07:57:43 (permalink)
0

Traffic shaping recommendation v5.6

Good morning
 
We currently have Fortigate's rolled out at each of our sites and are looking to tighten up our traffic shaping policies as we are having instances whereby it currently burst the bandwidth, albeit infrequently.
 
Is the recommendation from Fortinet to use Shared > Per Policy shapers?
 
I feel that Shared > All policies using this shaper would be a better fit for our environment but I have been advised that this is not the recommended way from Fortinet and they are trying to move people to Per Policy since the later firmware was released.
 
Any help/advice appreciated.
 
 
#1

9 Replies Related Threads

    Nicholas Doropoulos
    Silver Member
    • Total Posts : 73
    • Scores: 2
    • Reward points: 0
    • Joined: 2018/05/03 13:49:11
    • Status: offline
    Re: Traffic shaping recommendation v5.6 2018/05/29 12:07:45 (permalink)
    0
    Hello!
     
    The Shared > All policies options applies the shaping rules to all policies using the same shaper. For example, the shaper is set to be per policy with a maximum bandwidth of 1000 Kb/s. There are four security policies monitoring traffic through the FortiGate unit. All four have the shaper enabled. Each security policy must share the defined 1000 Kb/s, and is set on a first come, first served basis. For example, if policy 1 uses 800 Kb/s, the remaining three must share 200 Kb/s. As policy 1 uses less bandwidth, it is opened up to the other policies to use as required. Once used, any other policies will encounter latency until free bandwidth opens from a policy currently in use.
     
    On the other hand, the Shared > Per Policy shaper enables all policies using the configured shaper to have 200Kb/s EACH. This shaper is probably more reliable as all policies will share the same bandwidth and not encounter any latency as a result.
     
    However, it's not really recommended to do either anymore since the above options work with security policies whereas Fortinet now recommends that you use traffic shaping policies instead. Given that you use 5.6, have a look at the video below to see how to go about it:
     
    https://www.youtube.com/watch?v=IZ_ocOJZqbk
     
    I hope that helps.
    #2
    Toshi Esumi
    Expert Member
    • Total Posts : 1566
    • Scores: 132
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Traffic shaping recommendation v5.6 2018/05/29 13:22:13 (permalink)
    0
    My understanding is "per polcy" vs. "all policies" didn't change from 5.2 or before to 5.4 or after. They work as nick22d explained above and both are still needed depending on what kind of shapers you need. It's a config item in traffic shapers.
    The way to apply the shapers has changed(added) since 5.4. Fortinet TAC recommened us to use shaping-policy instead of security/firewall polices when we were testing our QoS with 5.4.
    #3
    ChrisJForti
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/05/29 07:51:35
    • Status: offline
    Re: Traffic shaping recommendation v5.6 2018/05/31 06:34:30 (permalink)
    0
    Thanks for the feedback.
     
    I think I am getting confused with this as I believe we are using it the recommended way for v5.6 as we have Traffic Shapers and Traffic Shaping Policy's using the Traffic Shapers.
     
    Can we still not then use either Per Policy or All Policies Using This Shaper as they would both use Traffic Shaping Policys?
     
    I also see your reasoning for Per Policy however I am working on the assumption we would then have bandwidth potentially not being used.
     
    Simplistically I was thinking of doing the following on a 20MB connection, keeping in mind our remote offices connect via RDP and we want to prioritize VOIP and RDP sessions above everything else.  Most other traffic is none work related we are not overly concerned about.
     
    Traffic Shapers
     
    Voice 
    Priority = High
    Guaranteed Bandwidth = 3,072 Kbps
     
    RDP
    Priority = High
    Guaranteed Bandwidth = 2,048 Kbps
     
    The_Rest
    Priority = Medium
    Max Bandwidth = 15,360 Kbps
     
    Traffic Shaping Policy's
     
    VOIP
    Anything on voice VLAN use Voice shaper for shared and reverse
     
    RDP
    Anything using RDP Application use RDP shaper for shared and reverse
     
    The_Rest
    Anything other than the above use The_Rest shaper for shared and reverse
     
    Or would you still recommend having the 15MB broken up with various max bandwidths?
     
    We have been told we should also over provision it so allow currently the 3 shapers we have other than RDP and VOIP to have 20MB in total, working on the assumption it will only max out in scenarios when everything is being maxed out.  This theory doesn't sit well with me.
    #4
    Toshi Esumi
    Expert Member
    • Total Posts : 1566
    • Scores: 132
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Traffic shaping recommendation v5.6 2018/05/31 09:31:26 (permalink)
    0
    I believe you can still use both, although we still need to re-test our QoS config developed for 5.4 with 5.6. I'm assuming the same at this moment.
     
    You're thinking & config is about the same as mine. A couple of comments I'd like to make is 
    - We're still relying on DSCP marking&values since voip packets travel through the network not only the FGT sections. FGT seems to be using the values/priority mappings inside of the device (you must have seen in the handbook how to configure) although nobody from FTNT can explain how they're used so far. I'm still waiting for the answer from SE group.
    - You need to think about management traffic as well. If the circuit is literally maxed out, your remote access might not work to troubleshoot.
    #5
    matjazm
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/07/08 06:49:18
    • Status: offline
    Re: Traffic shaping recommendation v5.6 2019/07/08 07:00:26 (permalink)
    0
    I have a scenario where I want to limit each department with a certain bandwidth. Let's say we have 5 departments and our uplink is 100Mbps. I want to limit each department to have 20Mbps.
     
    config firewall shaper traffic-shaper
    edit "20Mbps"
            set maximum-bandwidth 20500
            set per-policy enable
        next
     
     
    config firewall shaping-policy
    edit 2
            set comment "ACCOUNTING_DEPARTMENT"
            set service "ALL"
            set dstintf "wan"
            set traffic-shaper "20Mbps"
            set traffic-shaper-reverse "20Mbps"
            set srcaddr "ACCT_172.16.10.0/24"
            set dstaddr "all"
        next
     
    The problem is that when I configure a traffic shaper for a certain department to 20Mbps and the limit is reached, packets get dropped.
     
    We have migrated from Cisco where we had traffic shaping policies and when the limit was reached we didn't notice any packet loss.
     
    Example of 20Mbps polic-map:
    policy-map 20Mbps
      class rateclass
         police 20000000 2500000 5000000 conform-action transmit exceed-action drop
     
    Is there a way to configure traffic shaping on a fortigate to do similar or would I need to define a Traffic shaping policy for each type of traffic and set a different priority, guaranteed bandwidth, etc.
     
    What is the recommendation?
    #6
    hnmr
    Bronze Member
    • Total Posts : 21
    • Scores: 2
    • Reward points: 0
    • Joined: 2014/10/21 02:52:59
    • Status: offline
    Re: Traffic shaping recommendation v5.6 2019/07/08 08:58:44 (permalink)
    0
    My 50 cent: 
     
    ... and if you start applying traffic shapers on some of your traffic, you definetely should consider to apply traffic-shaping to all of the (forwarded) traffic...
     
    Best regards 
    #7
    Dave Hall
    Expert Member
    • Total Posts : 1423
    • Scores: 156
    • Reward points: 0
    • Joined: 2012/05/11 07:55:58
    • Location: Canada
    • Status: offline
    Re: Traffic shaping recommendation v5.6 2019/07/08 09:04:23 (permalink)
    0
    Hi Matjaz.
     
    What you probably want is to rate-limit the WAN ports (both ingress and egress) or at least start with that.  If the various departments are on separate subnets and connected to the fgt via individual ports you could rate-limit those ports too.  Unless anyone else wants to chime in, I'd rather rate-limit traffic than play around with various traffic shaping rules if all possible.  That said, do take a read of The purpose of traffic shaping section if you still planning that approach. 
     
     
     

    NSE4/FMG-VM64/FortiAnalyzer-VM/5.4/6.0 (FWF40C/FW92D/FGT200D/FGT101E)/ FAP220B/221C
    #8
    Toshi Esumi
    Expert Member
    • Total Posts : 1566
    • Scores: 132
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Traffic shaping recommendation v5.6 2019/07/08 10:01:01 (permalink)
    0
    With your Cisco policing config, it's supposed to drop exceeding packets because you configured "exceed-action drop".  If you think it doesn't drop, some other factors are affecting for you to misread actual traffic in "show policy-map".
     
    In you're case I would never configure 20.5Mbps max for 5 dept. to share one 100Mbps. I would configure like:
    set maximum-bandwidth 30000
    set guaranteed-bandwidth 20000
    so that each dept can go up to 30Mbps. Even when 3 depts generate max traffic, which probably doesn't happen at the exact same time, there is some breathing room for the other dept. You will need to adjust the numbers based on actual usages after implementing the shapers.
     
    But if you have different type of traffic on the same circuit from each dept like voice, video, file transfer, etc. you should segregate those based on the types, which is more important than limiting the max for each dept.
     
    #9
    matjazm
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/07/08 06:49:18
    • Status: offline
    Re: Traffic shaping recommendation v5.6 2019/07/08 22:53:25 (permalink)
    0
    I know 20Mbps is not ideal but this is just an example.
     
    There was traffic drop on our Cisco environment but it wasn't so severe and it didn't happen right away. I'm not 100% percent how it works but it looks like it works more like traffic shaping than policing where excess traffic goes to a buffer and gets transmitted with a bit of delay (you do notice higher response on icmp traffic).
     
    On Fortigate you get packet loss as soon as you reach the maximum bandwidth limit.
     
    Is there a way to get Fortigate to work in a similar way to the traffic policy on Cisco? Is there no other way but to do different traffic shaping policies for different traffic type (QoS)?
    #10
    Jump to:
    © 2019 APG vNext Commercial Version 5.5