- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Having a hard time understanding Traffic Shaping
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Having a hard time understanding Traffic Shaping
Hello All, I'm currently using 2 Fortigate 201E setup for HA.
Our current ISP is giving us 50Mbs
We just moved from Cisco ASA's to these new Fortigate Firewalls.
Before the switch there was never any bandwidth issue.
Problem is now it seems Downloading and uploading files takes way to long only getting like 500kbs per second.
Now I know this can be rectified using Traffic shaping.
I'll explain my Environment and what I need to do and hopefully someone can explain how I can setup my Shapers to work within that situation.
Sales force is our Top priority so when someone goes there they need to be able to browse it and any attachments really quickly so Give it a High Priority, Next would be downloads/Uploads as people are always uploading stuff to youtube here and Downloading attachments etc from websites. Lowest Priority would be Drop box downloading and uploading stuff there however it needs to be relatively quick for those that use it to upload a 3gb file shouldn't take 3 hours if you catch my drift, Our current ISP is giving us 50Mbs we are upgrading that soon to 100 but in the meantime that's what I'm working with
Then everything else would fall into another category on it's own I suppose. Currently 1 user can take up all the bandwidth syncing his drop box. So I'd like everyone to share the 50MB equally so that 1 user can't hog all the bandwidth. I'm really new to Fortigate OS and networking in general so I apologize in advance but really need to figure this out. Many thanks in advance.
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Forgot to add that firmware version FortiOS v6.0.3 build0200 (GA) currently.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check out the following links for details about how to set this up. There is a bit of a learning curve with shaping (on any platform), and I don't have much experience in it myself on the FortiGate.
https://cookbook.fortinet.com/traffic-shaping-bandwidth-56/
I would start with an application shaper for Salesforce, and then add a basic Per-IP shaper for all types of traffic to keep a single user from hogging all the bandwidth. You may not need to worry about the other details in-between with that in place, but those are at least the two easiest pieces to set up.
- Daniel
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Daniel,
thanks for that, however I've looked through all the documentation I can find and it doesn't seem to help me. Right now I've managed to make the Sales Force people happy by creating a Per IP policy based on traffic going to Sales Force and gave them 25mbs guaranteed bandwidth, however people accessing downloading anything from drop box or the internet get speed of like 300kbps which is not good at all most downloads fail due to time out. I'm at a loss what to do at this point. I made a Shared shaper for max bandwidth of 50Mbs for all traffic and along with the per ip for Salesforce but our download speed are not good at all.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't think you want a Per IP policy for Sales Force but rather a shared shaper of 25 Mbps. If I understand per-IP (which admittedly I haven't had to use), it allocates the specified bandwidth per user. So 2 Salesforce users could suck down your entire 50Mbps and leave everything else crawling.
Maybe to make sure per IP is understood you would want to create a shaping policy that matches all traffic with a small per IP shaper (maybe 5 Mbps depending on your user count) and see if it works as expected. (You'll want to disable all other shaping policies while you test).
To me the expected behavior would be that each user (regardless of application, so you could test this by just going to speedtest.net) should be limited to 5Mbps. That should leave plenty of bandwidth for each user, up to at least 10 users, and that will give you a much more reasonable download speed (though of course keep in mind the difference between Kbps and KB/s).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From the Forinet site for Traffic shaping methods
"Per-IP traffic shaping enables you limit the behavior of every member of a policy to avoid one user from using all the available bandwidth - it now is shared within a group equally."
I dont' think that's the case as from what it says on the fortinet site It says it's shared within a group equally
So if that's the case that explains why my Salesforce team is happy at the moment. So I went ahead and did the same thing for drop box made a per-ip policy for dropbox traffic of a max bandwidth of 20Mbs
Then a shared shaper for https:downloads with a low priority for 10Mbs and then a remaind shaper for everything else.
Will see how that goes today
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I could be wrong, but I just tested some stuff and it looks like the result is more or less what I first suggested.
If you combine shared shaper with per-ip shaper, you can achieve the result quoted on the website. If you *just* use a per-IP shaper, each user should get that amount of bandwidth carved out. That's what I was afraid you had done with the Salesforce policy, but if you have a per-ip along with a shared shaper then it would probably work well.
Just be careful of overprovisioning if you use multiple per-ip shapers without shared shapers. I'll be interested in your result today.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
better just use salesforce
Related Posts
Labels
-
FortiGate
6,525 -
FortiClient
1,301 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
241 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
FortiAuthenticator
11 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.