- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Traffic shaping recommendation v5.6
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Traffic shaping recommendation v5.6
Good morning
We currently have Fortigate's rolled out at each of our sites and are looking to tighten up our traffic shaping policies as we are having instances whereby it currently burst the bandwidth, albeit infrequently.
Is the recommendation from Fortinet to use Shared > Per Policy shapers?
I feel that Shared > All policies using this shaper would be a better fit for our environment but I have been advised that this is not the recommended way from Fortinet and they are trying to move people to Per Policy since the later firmware was released.
Any help/advice appreciated.
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello!
The Shared > All policies options applies the shaping rules to all policies using the same shaper. For example, the shaper is set to be per policy with a maximum bandwidth of 1000 Kb/s. There are four security policies monitoring traffic through the FortiGate unit. All four have the shaper enabled. Each security policy must share the defined 1000 Kb/s, and is set on a first come, first served basis. For example, if policy 1 uses 800 Kb/s, the remaining three must share 200 Kb/s. As policy 1 uses less bandwidth, it is opened up to the other policies to use as required. Once used, any other policies will encounter latency until free bandwidth opens from a policy currently in use.
On the other hand, the Shared > Per Policy shaper enables all policies using the configured shaper to have 200Kb/s EACH. This shaper is probably more reliable as all policies will share the same bandwidth and not encounter any latency as a result.
However, it's not really recommended to do either anymore since the above options work with security policies whereas Fortinet now recommends that you use traffic shaping policies instead. Given that you use 5.6, have a look at the video below to see how to go about it:
https://www.youtube.com/watch?v=IZ_ocOJZqbk
I hope that helps.
NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3
NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+,
MTA Security, ITIL v3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My understanding is "per polcy" vs. "all policies" didn't change from 5.2 or before to 5.4 or after. They work as nick22d explained above and both are still needed depending on what kind of shapers you need. It's a config item in traffic shapers.
The way to apply the shapers has changed(added) since 5.4. Fortinet TAC recommened us to use shaping-policy instead of security/firewall polices when we were testing our QoS with 5.4.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the feedback.
I think I am getting confused with this as I believe we are using it the recommended way for v5.6 as we have Traffic Shapers and Traffic Shaping Policy's using the Traffic Shapers.
Can we still not then use either Per Policy or All Policies Using This Shaper as they would both use Traffic Shaping Policys?
I also see your reasoning for Per Policy however I am working on the assumption we would then have bandwidth potentially not being used.
Simplistically I was thinking of doing the following on a 20MB connection, keeping in mind our remote offices connect via RDP and we want to prioritize VOIP and RDP sessions above everything else. Most other traffic is none work related we are not overly concerned about.
Traffic Shapers
Voice
Priority = High
Guaranteed Bandwidth = 3,072 Kbps
RDP
Priority = High
Guaranteed Bandwidth = 2,048 Kbps
The_Rest
Priority = Medium
Max Bandwidth = 15,360 Kbps
Traffic Shaping Policy's
VOIP
Anything on voice VLAN use Voice shaper for shared and reverse
RDP
Anything using RDP Application use RDP shaper for shared and reverse
The_Rest
Anything other than the above use The_Rest shaper for shared and reverse
Or would you still recommend having the 15MB broken up with various max bandwidths?
We have been told we should also over provision it so allow currently the 3 shapers we have other than RDP and VOIP to have 20MB in total, working on the assumption it will only max out in scenarios when everything is being maxed out. This theory doesn't sit well with me.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe you can still use both, although we still need to re-test our QoS config developed for 5.4 with 5.6. I'm assuming the same at this moment.
You're thinking & config is about the same as mine. A couple of comments I'd like to make is
- We're still relying on DSCP marking&values since voip packets travel through the network not only the FGT sections. FGT seems to be using the values/priority mappings inside of the device (you must have seen in the handbook how to configure) although nobody from FTNT can explain how they're used so far. I'm still waiting for the answer from SE group.
- You need to think about management traffic as well. If the circuit is literally maxed out, your remote access might not work to troubleshoot.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a scenario where I want to limit each department with a certain bandwidth. Let's say we have 5 departments and our uplink is 100Mbps. I want to limit each department to have 20Mbps.
config firewall shaper traffic-shaper
edit "20Mbps" set maximum-bandwidth 20500 set per-policy enable next
config firewall shaping-policy
edit 2 set comment "ACCOUNTING_DEPARTMENT" set service "ALL" set dstintf "wan" set traffic-shaper "20Mbps" set traffic-shaper-reverse "20Mbps" set srcaddr "ACCT_172.16.10.0/24" set dstaddr "all" next
The problem is that when I configure a traffic shaper for a certain department to 20Mbps and the limit is reached, packets get dropped.
We have migrated from Cisco where we had traffic shaping policies and when the limit was reached we didn't notice any packet loss.
Example of 20Mbps polic-map:
policy-map 20Mbps class rateclass police 20000000 2500000 5000000 conform-action transmit exceed-action drop
Is there a way to configure traffic shaping on a fortigate to do similar or would I need to define a Traffic shaping policy for each type of traffic and set a different priority, guaranteed bandwidth, etc.
What is the recommendation?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Matjaz.
What you probably want is to rate-limit the WAN ports (both ingress and egress) or at least start with that. If the various departments are on separate subnets and connected to the fgt via individual ports you could rate-limit those ports too. Unless anyone else wants to chime in, I'd rather rate-limit traffic than play around with various traffic shaping rules if all possible. That said, do take a read of The purpose of traffic shaping section if you still planning that approach.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0
(FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With your Cisco policing config, it's supposed to drop exceeding packets because you configured "exceed-action drop". If you think it doesn't drop, some other factors are affecting for you to misread actual traffic in "show policy-map".
In you're case I would never configure 20.5Mbps max for 5 dept. to share one 100Mbps. I would configure like:
set maximum-bandwidth 30000
set guaranteed-bandwidth 20000
so that each dept can go up to 30Mbps. Even when 3 depts generate max traffic, which probably doesn't happen at the exact same time, there is some breathing room for the other dept. You will need to adjust the numbers based on actual usages after implementing the shapers.
But if you have different type of traffic on the same circuit from each dept like voice, video, file transfer, etc. you should segregate those based on the types, which is more important than limiting the max for each dept.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know 20Mbps is not ideal but this is just an example.
There was traffic drop on our Cisco environment but it wasn't so severe and it didn't happen right away. I'm not 100% percent how it works but it looks like it works more like traffic shaping than policing where excess traffic goes to a buffer and gets transmitted with a bit of delay (you do notice higher response on icmp traffic).
On Fortigate you get packet loss as soon as you reach the maximum bandwidth limit.
Is there a way to get Fortigate to work in a similar way to the traffic policy on Cisco? Is there no other way but to do different traffic shaping policies for different traffic type (QoS)?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My 50 cent:
... and if you start applying traffic shapers on some of your traffic, you definetely should consider to apply traffic-shaping to all of the (forwarded) traffic...
Best regards
Related Posts
- FortiGate FGT200F Firewall Policies and Traffic... 199 Views
- FortiGate FGT200F Traffic Shaping Firmware 7.4.3 138 Views
- Traffic Shaping outbandwidth Speedtest 238 Views
- Traffic Shaping Policies - QOS for... 343 Views
- Match IPsec traffic in Shaping Profile 242 Views
Labels
-
FortiGate
6,503 -
FortiClient
1,298 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
261 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
70 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiAuthenticator
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.