Fortinet black logo

Handbook

Configuring shared policy traffic shaping

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:915370
Download PDF

Configuring shared policy traffic shaping

You can use shared policy traffic shaping to manage the bandwidth of security policies. This traffic shaping configuration allows you to control the maximum and guaranteed throughput for any security policies that are specified in the traffic shaping policy. When you configure a shared policy traffic shaping, you can apply bandwidth shaping to a single policy or to all policies. Alternatively, you can edit one of the predefined traffic shapers on the Traffic Shapers page.

Creating a shared policy traffic shaper – GUI

  1. In the FortiGate GUI, go to Policy & Objects > Traffic Shapers.
  2. Select Create New.
  3. Set the Type field to Shared.
  4. In the Name field, enter a name for the traffic shaper.
  5. Set the following options:

    GUI option

    Description

    Traffic Priority

    Set the traffic priority to High, Medium, or Low.

    Select a traffic priority of high, medium, or low, so the FortiGate manages the relative priorities of different types of traffic. For example, a policy for connecting to a secure web server that needs to support e-commerce traffic should be assigned a high traffic priority. Less important services should be assigned a low priority. The firewall provides bandwidth to low-priority connections only when bandwidth isn't needed for high-priority connections.

    Be sure to enable traffic shaping on all security policies. If you don't apply a traffic shaping rule to a policy, the policy is set to high priority by default. Distribute security policies over all three priority queues.

    High has a priority value of 1, Medium is 2, and Low is 3. While the current packet rate is below Guaranteed Bandwidth, the FortiGate disregards this setting, and instead uses priority queues.

    Max Bandwidth

    Enable this option and set the maximum bandwidth. The range is 1 to 16776000 Kbps.

    The maximum bandwidth instructs the security policy what the largest amount of traffic allowed using the policy. Depending on the service or the users included for the security policy, this number provides a larger or smaller throughput depending on the priority you set for the traffic shaper.

    You can use the FortiGate CLI to set this option to 0. Setting this option to 0 provides unlimited bandwidth.

    Packets greater than this rate are discarded.

    Guaranteed Bandwidth

    Enable this option and set the guaranteed bandwidth. The range is 1 to 16776000 Kbps.

    The guaranteed bandwidth ensures that a consistent reserved bandwidth is available for a given service or user. Ensure that you set the bandwidth to a value that's significantly less than the bandwidth capacity of the interface. Otherwise, little to no traffic will pass through the interface and potentially cause unwanted latency.

    Setting this option to 0 provides unlimited bandwidth.

    Bandwidth guarantees affect prioritization. While packet rates are less than this rate, they use priority queue 0. If this isn't the effect you intend, consider entering a small guaranteed rate, or enter 0 to effectively disable bandwidth guarantees.

    DSCP

    Enable this option and set the DSCP value.

    You can use the FortiGate Differentiated Services feature to change the DSCP (Differentiated Services Code Point) value for all packets accepted by a policy. The network can use these DSCP values to classify, mark, shape, and police traffic, and to perform intelligent queuing. DSCP features are applied to traffic by configuring the routers on your network to apply different service levels to packets depending on the DSCP value of the packet. For more information, see Configuring differentiated services.

  6. Select OK.

Enabling the Apply shaper option in the FortiGate GUI

You can configure the FortiGate to apply traffic shapers equally to all policies that use the traffic shaper or to each security policy individually. By default, shared traffic shapers apply traffic shaping equally to all policies that use the traffic shaper. If you want to apply the traffic shapers to each security policy individually, you must enable the Apply shaper option in the FortiGate GUI.

  1. In the FortiGate GUI, go to Policy & Objects > Traffic Shapers.
  2. Right-click on the traffic shaper that you want to enable the Apply shaper option for.
  3. Select Edit in CLI.

    The CLI Console window opens.

  4. Type the following commands:
  5. set per-policy enable

    end

  6. Close the CLI Console window.
  7. Ensure the traffic shaper is highlighted and select Create New.
  8. In the Apply shaper field, select one of the following options:

    GUI option

    Description

    Per policy

    When you set a traffic shaper to be per policy, the FortiGate applies the traffic shaping rules defined to each security policy individually.

    For example, if a traffic shaper is set to per policy, with a maximum bandwidth of 1000 Kbps, any security policies that have that traffic shaper enabled get 1000 Kbps of bandwidth each.

    For example, if a traffic shaper is set to per policy with a maximum bandwidth of 1000 Kbps and applied to four security policies, each policy has the same maximum bandwidth of 1000 Kbps.

    Per policy traffic shaping is compatible with client/server (active-passive) transparent mode WAN optimization rules. Traffic shaping is ignored for peer-to-peer WAN optimization and for client/server WAN optimization not operating in transparent mode.

    All policies using this shaper

    When you configure a traffic shaper to apply to all policies (All policies using this shaper), the FortiGate applies the traffic shaping rules to all policies using the same traffic shaper.

    For example, the traffic shaper is set to be per policy with a maximum bandwidth of 1000 Kbps. There are four security policies monitoring traffic through the FortiGate. All four have the traffic shaper enabled. Each security policy must share the defined 1000 Kbps, and is set on a first come, first served basis. For example, if policy 1 uses 800 Kbps, the remaining three must share 200 Kbps. As policy 1 uses less bandwidth, that open bandwidth becomes available to the other policies to use as required. Once used, any other policies encounter latency until free bandwidth opens from a policy currently in use.

Creating a shared policy traffic shaper – CLI

config firewall shaper traffic-shaper

edit <traffic_shaper_name>

set per-policy enable

set maximum-bandwidth <bandwidth>

set guaranteed-bandwidth <bandwidth>

set priority {low | medium | high}

next

end

Example: Configuring a shared traffic shaper per policy

The following example shows how to create a per policy traffic shaper, named Throughput, with a maximum traffic amount of 720,000 Kbps, and a guaranteed traffic of 150,000 Kbps with a high traffic priority.

In the FortiGate GUI:

  1. Go to Policy & Objects > Traffic Shapers.
  2. Select Create New.
  3. Set Type to Shared.
  4. Set Name to Throughput.
  5. Set Apply shaper to Per policy.
  6. Set Traffic Priority to High.
  7. Enable Max Bandwidth and set the value to 150000.
  8. Enable Guaranteed Bandwidth and set the value to 120000.
  9. Select OK.

In the FortiGate CLI:

config firewall shaper traffic-shaper

edit Throughput

set per-policy enable

set maximum-bandwidth 150000

set guaranteed-bandwidth 120000

set priority high

set diffserv eanble

set diffservcode <binary_integer>

next

next

end

Configuring shared policy traffic shaping

You can use shared policy traffic shaping to manage the bandwidth of security policies. This traffic shaping configuration allows you to control the maximum and guaranteed throughput for any security policies that are specified in the traffic shaping policy. When you configure a shared policy traffic shaping, you can apply bandwidth shaping to a single policy or to all policies. Alternatively, you can edit one of the predefined traffic shapers on the Traffic Shapers page.

Creating a shared policy traffic shaper – GUI

  1. In the FortiGate GUI, go to Policy & Objects > Traffic Shapers.
  2. Select Create New.
  3. Set the Type field to Shared.
  4. In the Name field, enter a name for the traffic shaper.
  5. Set the following options:

    GUI option

    Description

    Traffic Priority

    Set the traffic priority to High, Medium, or Low.

    Select a traffic priority of high, medium, or low, so the FortiGate manages the relative priorities of different types of traffic. For example, a policy for connecting to a secure web server that needs to support e-commerce traffic should be assigned a high traffic priority. Less important services should be assigned a low priority. The firewall provides bandwidth to low-priority connections only when bandwidth isn't needed for high-priority connections.

    Be sure to enable traffic shaping on all security policies. If you don't apply a traffic shaping rule to a policy, the policy is set to high priority by default. Distribute security policies over all three priority queues.

    High has a priority value of 1, Medium is 2, and Low is 3. While the current packet rate is below Guaranteed Bandwidth, the FortiGate disregards this setting, and instead uses priority queues.

    Max Bandwidth

    Enable this option and set the maximum bandwidth. The range is 1 to 16776000 Kbps.

    The maximum bandwidth instructs the security policy what the largest amount of traffic allowed using the policy. Depending on the service or the users included for the security policy, this number provides a larger or smaller throughput depending on the priority you set for the traffic shaper.

    You can use the FortiGate CLI to set this option to 0. Setting this option to 0 provides unlimited bandwidth.

    Packets greater than this rate are discarded.

    Guaranteed Bandwidth

    Enable this option and set the guaranteed bandwidth. The range is 1 to 16776000 Kbps.

    The guaranteed bandwidth ensures that a consistent reserved bandwidth is available for a given service or user. Ensure that you set the bandwidth to a value that's significantly less than the bandwidth capacity of the interface. Otherwise, little to no traffic will pass through the interface and potentially cause unwanted latency.

    Setting this option to 0 provides unlimited bandwidth.

    Bandwidth guarantees affect prioritization. While packet rates are less than this rate, they use priority queue 0. If this isn't the effect you intend, consider entering a small guaranteed rate, or enter 0 to effectively disable bandwidth guarantees.

    DSCP

    Enable this option and set the DSCP value.

    You can use the FortiGate Differentiated Services feature to change the DSCP (Differentiated Services Code Point) value for all packets accepted by a policy. The network can use these DSCP values to classify, mark, shape, and police traffic, and to perform intelligent queuing. DSCP features are applied to traffic by configuring the routers on your network to apply different service levels to packets depending on the DSCP value of the packet. For more information, see Configuring differentiated services.

  6. Select OK.

Enabling the Apply shaper option in the FortiGate GUI

You can configure the FortiGate to apply traffic shapers equally to all policies that use the traffic shaper or to each security policy individually. By default, shared traffic shapers apply traffic shaping equally to all policies that use the traffic shaper. If you want to apply the traffic shapers to each security policy individually, you must enable the Apply shaper option in the FortiGate GUI.

  1. In the FortiGate GUI, go to Policy & Objects > Traffic Shapers.
  2. Right-click on the traffic shaper that you want to enable the Apply shaper option for.
  3. Select Edit in CLI.

    The CLI Console window opens.

  4. Type the following commands:
  5. set per-policy enable

    end

  6. Close the CLI Console window.
  7. Ensure the traffic shaper is highlighted and select Create New.
  8. In the Apply shaper field, select one of the following options:

    GUI option

    Description

    Per policy

    When you set a traffic shaper to be per policy, the FortiGate applies the traffic shaping rules defined to each security policy individually.

    For example, if a traffic shaper is set to per policy, with a maximum bandwidth of 1000 Kbps, any security policies that have that traffic shaper enabled get 1000 Kbps of bandwidth each.

    For example, if a traffic shaper is set to per policy with a maximum bandwidth of 1000 Kbps and applied to four security policies, each policy has the same maximum bandwidth of 1000 Kbps.

    Per policy traffic shaping is compatible with client/server (active-passive) transparent mode WAN optimization rules. Traffic shaping is ignored for peer-to-peer WAN optimization and for client/server WAN optimization not operating in transparent mode.

    All policies using this shaper

    When you configure a traffic shaper to apply to all policies (All policies using this shaper), the FortiGate applies the traffic shaping rules to all policies using the same traffic shaper.

    For example, the traffic shaper is set to be per policy with a maximum bandwidth of 1000 Kbps. There are four security policies monitoring traffic through the FortiGate. All four have the traffic shaper enabled. Each security policy must share the defined 1000 Kbps, and is set on a first come, first served basis. For example, if policy 1 uses 800 Kbps, the remaining three must share 200 Kbps. As policy 1 uses less bandwidth, that open bandwidth becomes available to the other policies to use as required. Once used, any other policies encounter latency until free bandwidth opens from a policy currently in use.

Creating a shared policy traffic shaper – CLI

config firewall shaper traffic-shaper

edit <traffic_shaper_name>

set per-policy enable

set maximum-bandwidth <bandwidth>

set guaranteed-bandwidth <bandwidth>

set priority {low | medium | high}

next

end

Example: Configuring a shared traffic shaper per policy

The following example shows how to create a per policy traffic shaper, named Throughput, with a maximum traffic amount of 720,000 Kbps, and a guaranteed traffic of 150,000 Kbps with a high traffic priority.

In the FortiGate GUI:

  1. Go to Policy & Objects > Traffic Shapers.
  2. Select Create New.
  3. Set Type to Shared.
  4. Set Name to Throughput.
  5. Set Apply shaper to Per policy.
  6. Set Traffic Priority to High.
  7. Enable Max Bandwidth and set the value to 150000.
  8. Enable Guaranteed Bandwidth and set the value to 120000.
  9. Select OK.

In the FortiGate CLI:

config firewall shaper traffic-shaper

edit Throughput

set per-policy enable

set maximum-bandwidth 150000

set guaranteed-bandwidth 120000

set priority high

set diffserv eanble

set diffservcode <binary_integer>

next

next

end