Fortinet white logo
Fortinet white logo

Handbook

6.0.0

Configuring traffic shaping policies

Configuring traffic shaping policies

Traffic shaping policies allow you to apply traffic shaping measures to traffic that matches your criteria. The criteria must specify a source, destination, service, and outgoing interface. You must enable at least one type of traffic shaper to create a traffic shaping policy.

You can enable traffic shaping options on a FortiGate at the same time within a single traffic shaping policy. Generally, the hierarchy for traffic shapers in FortiOS is:

  1. Application control traffic shaper
  2. Shared policy traffic shaper
  3. Per-IP traffic shaper

Within this hierarchy, if an application control list has a traffic shaper defined, it has precedence over any other policy traffic shaper. For example, the Facebook application control example in Configuring application control traffic shaping supersedes any security policy enabled traffic shapers. While the Facebook application may reach its maximum bandwidth, the user can still have bandwidth available from the shared traffic shaper and, if enabled, the per-IP traffic shaper.

Equally, any security policy shared traffic shaper has precedence over any per-IP traffic shaper. However, traffic that exceeds any of these traffic shapers is dropped. For example, the policy traffic shaper takes effect first, but if the per-IP traffic shaper limit is reached first, the traffic for that user is dropped even if the shared traffic shaper limit for the policy hasn't been exceeded.

When you create traffic shaping policies, you must ensure that the matching criteria is the same as the firewall policies that you want to apply traffic shaping to. Note that these apply equally to TCP and UDP, and UDP protocols may not recover as gracefully from packet loss.

You can create traffic shaping policies that use Internet Services. The Internet Service Database (ISDB) and IP Reputation Database (IRDB) enhance traffic shaping criteria for traffic shaping policies.

Creating a traffic shaping policy

Create a traffic shaping policy – GUI
  1. Go to Policy & Objects > Traffic Shaping Policy.
  2. Select Create New.
  3. In the IP Version field, select IPv4 or IPv6.
  4. In the Name field, enter a name for the traffic shaping policy.
  5. In the If Traffic Matches section, set the following options:

    GUI option

    Description

    Source

    To use source addresses in the traffic shaping policy, select them in the Address tab.

    To use users or user groups in the traffic shaping policy, select them in the User tab.

    To use Internet services in the traffic shaping policy, select one or more Internet services in the Internet Service tab.

    Destination

    To use destination addresses in the traffic shaping policy, select them in the Address tab.

    To use Internet services in the traffic shaping policy, select one or more Internet services in the Internet Service tab.

    Schedule

    Enable this option and select a schedule from the drop-down list.

    You can apply different traffic shaping policies at different times. You can use this option to apply a recurring schedule to your traffic shaping policies. The default schedule options are always or none. You can also create custom schedules or schedule groups in Policy & Objects > Schedules. This option allows you to create recurring or one-time schedules that can then be applied to traffic shaping policies.

    Service

    ALL

    Application

    Select an application to specify which applications you want to apply traffic shaping to.

    Select an application category to specify which category of applications you want to apply traffic shaping to.

    For more information about applying application control to traffic shaping policies, see Configuring application control traffic shaping.

    URL Category

    Choose a FortiGuard web filter category.

    For more information about applying application control to traffic shaping policies, see Configuring application control traffic shaping

  6. In the Then section, set the following options:

    GUI option

    Description

    Action

    Apply Shaper

    Assign Group

    Outgoing interface

    Set this to the external interface that you want to apply traffic shaping to. For example, wan1 is often used.

    Shared shaper

    Enable this option and select a traffic shaper from the drop-down menu.

    This setting is applied to ingress-to-egress traffic, and affects uploads or outbound traffic. For example, this is useful for restricting bandwidth for uploading.

    Choose one of the default shared traffic shapers: guarantee-100kbps, high-priority, medium-priority, low-priority, shared-1M-pipe, or one of the traffic shapers that you created.

    Reverse shaper

    Enable this option and select a traffic shaper from the drop-down menu.

    This setting is applied to egress-to-ingress traffic, and affects downloads or inbound traffic. For example, this is useful for restricting bandwidth for downloading or streaming.

    Choose one of the default shared traffic shapers or a shared traffic shaper that you created.

    The traffic shaper that you select in the traffic shaping policy (shared traffic shaper) affects the traffic in the direction defined in the policy. For example, if the source port is lan and the destination is wan1, the traffic shaping affects the flow in this direction only — affecting the upload speed of the outbound traffic. You can define the traffic shaper for the policy in the opposite direction to affect the download speed of the inbound traffic. In this example, from wan1 to lan.

    In some cases, you may only need traffic shaping for incoming connections, which is the reverse direction to typical traffic shapers. In this case you can enable a reverse traffic shaper without enabling a shared traffic shaper in the traffic shaping policy. In this case, disable the Shared shaper option. Enable the Reverse Shaper option and select a traffic shaper from the drop-down menu. Setting the reverse direction only.

    Per-IP shaper

    Enable this option and select a traffic shaper from the drop-down menu.

    Per-IP shapers affect downloads and uploads. Enable a per-IP traffic shaper if you want to apply traffic shaping by bandwidth management by user IP addresses.

  7. Select OK.
Create a traffic shaping policy – CLI

config firewall shaping-policy

edit <shaping_policy_ID>

set ip-version {4 | 6}

set srcaddr <source_address>

set dstaddr <destination_address>

set internet-service {enable | disable}

set internet-service-id <service_ID>

set internet-service-custom <custom_Internet_service_name>

set internet-service-src {enable | disable}

set internet-service-src-id <Internet_service_source_ID>

set internet-service-src-custom <custom_Internet_service_source_name>

set service <service_name>

set schedule {always | none}

set application <app_name>

set app-category <app_category_ID_list>

set url-category <URL_category_ID_list>

set dstintf <destination_interface_list>

set traffic-shaper <traffic_shaper_name>

set traffic-shaper-reverse <reverse_traffic_shaper_name>

set per-ip-shaper <per_IP_shaper_name>

next

end

where you set the following variables:

Option

Description

internet-service

Enables or disables the use of Internet services for this policy. If enabled, the FortiGate uses the Internet service destination address and service.

For all related commands to be available, you must set both internet-service and internet-service-src to enable.

internet-service-id

The Internet service ID.

internet-service-custom

Enter a custom Internet service name.

internet-service-src

Enables or disables the use of Internet services in source for this policy. If enabled, the FortiGate uses the Internet Services source address.

For all related commands to be available, you must set both internet-service and internet-service-src to enable.

internet-service-src-id

The Internet service source ID.

internet-service-src-custom

The custom Internet service source name.

This custom name must already be configured.

Disabling traffic shaping policies

Traffic shaping policies are enabled by default. You can disable traffic shaping policies.

Disable a traffic shaping policy – GUI
  1. Go to Policy & Objects > Traffic Shaping Policy.
  2. Set Status to Disabled.
Disable a traffic shaping policy – CLI

config firewall shaping-policy

edit <shaping_policy_ID>

set status disable

next

end

Ordering traffic shaping policies

You must also place the traffic shaping policies in the correct order in the traffic shaping policy list page to get the desired results. It's necessary to arrange your traffic shaping policies into a sequence that places your more granular policies above general Internet access policies. Restrictive policies should always go above more general access policies. For example, you should place any policies with application control shaping at the top of the traffic shaping policy list, followed by more general traffic shaping policies with shared policy shapers and per-IP traffic shapers.

For example, you can place a high priority VoIP traffic shaping policy at the top of the list, followed by restrictive policies that control streaming media, and your general Internet access policy last.

Order traffic shaping policies – GUI
  1. Go to Policy & Objects > Traffic Shaping Policy.
  2. Change the order of the policies by selecting the far left column to move the policy up or down.

Make sure that the ID column is showing in the table headings, so you can easily verify a policy's position in the sequence.

Configuring traffic shaping policies

Configuring traffic shaping policies

Traffic shaping policies allow you to apply traffic shaping measures to traffic that matches your criteria. The criteria must specify a source, destination, service, and outgoing interface. You must enable at least one type of traffic shaper to create a traffic shaping policy.

You can enable traffic shaping options on a FortiGate at the same time within a single traffic shaping policy. Generally, the hierarchy for traffic shapers in FortiOS is:

  1. Application control traffic shaper
  2. Shared policy traffic shaper
  3. Per-IP traffic shaper

Within this hierarchy, if an application control list has a traffic shaper defined, it has precedence over any other policy traffic shaper. For example, the Facebook application control example in Configuring application control traffic shaping supersedes any security policy enabled traffic shapers. While the Facebook application may reach its maximum bandwidth, the user can still have bandwidth available from the shared traffic shaper and, if enabled, the per-IP traffic shaper.

Equally, any security policy shared traffic shaper has precedence over any per-IP traffic shaper. However, traffic that exceeds any of these traffic shapers is dropped. For example, the policy traffic shaper takes effect first, but if the per-IP traffic shaper limit is reached first, the traffic for that user is dropped even if the shared traffic shaper limit for the policy hasn't been exceeded.

When you create traffic shaping policies, you must ensure that the matching criteria is the same as the firewall policies that you want to apply traffic shaping to. Note that these apply equally to TCP and UDP, and UDP protocols may not recover as gracefully from packet loss.

You can create traffic shaping policies that use Internet Services. The Internet Service Database (ISDB) and IP Reputation Database (IRDB) enhance traffic shaping criteria for traffic shaping policies.

Creating a traffic shaping policy

Create a traffic shaping policy – GUI
  1. Go to Policy & Objects > Traffic Shaping Policy.
  2. Select Create New.
  3. In the IP Version field, select IPv4 or IPv6.
  4. In the Name field, enter a name for the traffic shaping policy.
  5. In the If Traffic Matches section, set the following options:

    GUI option

    Description

    Source

    To use source addresses in the traffic shaping policy, select them in the Address tab.

    To use users or user groups in the traffic shaping policy, select them in the User tab.

    To use Internet services in the traffic shaping policy, select one or more Internet services in the Internet Service tab.

    Destination

    To use destination addresses in the traffic shaping policy, select them in the Address tab.

    To use Internet services in the traffic shaping policy, select one or more Internet services in the Internet Service tab.

    Schedule

    Enable this option and select a schedule from the drop-down list.

    You can apply different traffic shaping policies at different times. You can use this option to apply a recurring schedule to your traffic shaping policies. The default schedule options are always or none. You can also create custom schedules or schedule groups in Policy & Objects > Schedules. This option allows you to create recurring or one-time schedules that can then be applied to traffic shaping policies.

    Service

    ALL

    Application

    Select an application to specify which applications you want to apply traffic shaping to.

    Select an application category to specify which category of applications you want to apply traffic shaping to.

    For more information about applying application control to traffic shaping policies, see Configuring application control traffic shaping.

    URL Category

    Choose a FortiGuard web filter category.

    For more information about applying application control to traffic shaping policies, see Configuring application control traffic shaping

  6. In the Then section, set the following options:

    GUI option

    Description

    Action

    Apply Shaper

    Assign Group

    Outgoing interface

    Set this to the external interface that you want to apply traffic shaping to. For example, wan1 is often used.

    Shared shaper

    Enable this option and select a traffic shaper from the drop-down menu.

    This setting is applied to ingress-to-egress traffic, and affects uploads or outbound traffic. For example, this is useful for restricting bandwidth for uploading.

    Choose one of the default shared traffic shapers: guarantee-100kbps, high-priority, medium-priority, low-priority, shared-1M-pipe, or one of the traffic shapers that you created.

    Reverse shaper

    Enable this option and select a traffic shaper from the drop-down menu.

    This setting is applied to egress-to-ingress traffic, and affects downloads or inbound traffic. For example, this is useful for restricting bandwidth for downloading or streaming.

    Choose one of the default shared traffic shapers or a shared traffic shaper that you created.

    The traffic shaper that you select in the traffic shaping policy (shared traffic shaper) affects the traffic in the direction defined in the policy. For example, if the source port is lan and the destination is wan1, the traffic shaping affects the flow in this direction only — affecting the upload speed of the outbound traffic. You can define the traffic shaper for the policy in the opposite direction to affect the download speed of the inbound traffic. In this example, from wan1 to lan.

    In some cases, you may only need traffic shaping for incoming connections, which is the reverse direction to typical traffic shapers. In this case you can enable a reverse traffic shaper without enabling a shared traffic shaper in the traffic shaping policy. In this case, disable the Shared shaper option. Enable the Reverse Shaper option and select a traffic shaper from the drop-down menu. Setting the reverse direction only.

    Per-IP shaper

    Enable this option and select a traffic shaper from the drop-down menu.

    Per-IP shapers affect downloads and uploads. Enable a per-IP traffic shaper if you want to apply traffic shaping by bandwidth management by user IP addresses.

  7. Select OK.
Create a traffic shaping policy – CLI

config firewall shaping-policy

edit <shaping_policy_ID>

set ip-version {4 | 6}

set srcaddr <source_address>

set dstaddr <destination_address>

set internet-service {enable | disable}

set internet-service-id <service_ID>

set internet-service-custom <custom_Internet_service_name>

set internet-service-src {enable | disable}

set internet-service-src-id <Internet_service_source_ID>

set internet-service-src-custom <custom_Internet_service_source_name>

set service <service_name>

set schedule {always | none}

set application <app_name>

set app-category <app_category_ID_list>

set url-category <URL_category_ID_list>

set dstintf <destination_interface_list>

set traffic-shaper <traffic_shaper_name>

set traffic-shaper-reverse <reverse_traffic_shaper_name>

set per-ip-shaper <per_IP_shaper_name>

next

end

where you set the following variables:

Option

Description

internet-service

Enables or disables the use of Internet services for this policy. If enabled, the FortiGate uses the Internet service destination address and service.

For all related commands to be available, you must set both internet-service and internet-service-src to enable.

internet-service-id

The Internet service ID.

internet-service-custom

Enter a custom Internet service name.

internet-service-src

Enables or disables the use of Internet services in source for this policy. If enabled, the FortiGate uses the Internet Services source address.

For all related commands to be available, you must set both internet-service and internet-service-src to enable.

internet-service-src-id

The Internet service source ID.

internet-service-src-custom

The custom Internet service source name.

This custom name must already be configured.

Disabling traffic shaping policies

Traffic shaping policies are enabled by default. You can disable traffic shaping policies.

Disable a traffic shaping policy – GUI
  1. Go to Policy & Objects > Traffic Shaping Policy.
  2. Set Status to Disabled.
Disable a traffic shaping policy – CLI

config firewall shaping-policy

edit <shaping_policy_ID>

set status disable

next

end

Ordering traffic shaping policies

You must also place the traffic shaping policies in the correct order in the traffic shaping policy list page to get the desired results. It's necessary to arrange your traffic shaping policies into a sequence that places your more granular policies above general Internet access policies. Restrictive policies should always go above more general access policies. For example, you should place any policies with application control shaping at the top of the traffic shaping policy list, followed by more general traffic shaping policies with shared policy shapers and per-IP traffic shapers.

For example, you can place a high priority VoIP traffic shaping policy at the top of the list, followed by restrictive policies that control streaming media, and your general Internet access policy last.

Order traffic shaping policies – GUI
  1. Go to Policy & Objects > Traffic Shaping Policy.
  2. Change the order of the policies by selecting the far left column to move the policy up or down.

Make sure that the ID column is showing in the table headings, so you can easily verify a policy's position in the sequence.