Fortinet white logo
Fortinet white logo

Handbook

6.0.0

Traffic shaping examples

Traffic shaping examples

The following examples show simple QoS configurations that use prioritization by security policy and ToS bit.

Example 1: Configuring QoS using security policy prioritization

In this example, we do the following:

  • Limit the bandwidth that each source interface can accept
  • Limit the bandwidth used by sessions that are controlled by the security policy
  • Configure prioritized queuing on the destination interface, based on the priority in the security policy, and subject to alternative assignment to queue 0 when necessary to achieve the guaranteed packet rate

This sample configuration limits ingress bandwidth to 500 Kbps. It also applies separate traffic shapers to FTP and HTTP traffic. In addition to the interface bandwidth limit, HTTP traffic is subject to a security policy bandwidth limit of 200 Kbps. All egress FTP traffic greater than 10 Kbps is subject to a low priority queue (queue 3), while all egress HTTP traffic greater than 100 Kbps is subject to a medium priority queue (queue 2). This meant that unless FTP traffic rates are lower than their guaranteed rate and web traffic rates are greater than their guaranteed rate, FTP traffic is lower priority than web traffic. Traffic less than these guaranteed bandwidth rates use the highest priority queue (queue 0).

Step 1: Setting the inbandwidth limit (FortiGate CLI)

Type the following commands:

config system interface

edit wan1

set inbandwidth 500

next

end

Step 2: Creating a traffic shaper for FTP (FortiGate GUI)
  1. Go to Policy & Objects > Traffic Shapers
  2. Select Create New.
  3. Set the Type field to Shared.
  4. In the Name field, type FTP.
  5. Set the Traffic Priority field to Low.
  6. Select the Max Bandwidth checkbox and type 500Kbps.
  7. Select the Guaranteed Bandwidth checkbox and type 10Kbps.
  8. Select OK.
  9. Right-click the FTP traffic shaper and select Edit in CLI.
  10. Type the following CLI commands:

set per-policy

end

Step 3: Creating a traffic shaper for HTTP (FortiGate GUI)
  1. Go to Policy & Objects > Traffic Shapers.
  2. Select Create New.
  3. Set the Type field to Shared.
  4. In the Name field, type HTTP.
  5. Set the Traffic Priorityfield to Medium.
  6. Select the Max Bandwidth checkbox and type 200Kbps.
  7. Select the Guaranteed Bandwidth checkbox and type 100Kbps.
  8. Select OK.
  9. Right-click the HTTP traffic shaper and select Edit in CLI.
  10. In the FortiGate CLI, type the following commands:

set per-policy

end

Step 4: Creating a traffic shaping policy for FTP (FortiGate GUI)

We create a traffic shaping policy for FTP and add the FTP traffic shaper to it.

  1. Go to Policy & Objects > Traffic Shaping Policy.
  2. Select Create New.
  3. In the If Traffic Matches section, set the following options:

    GUI option

    Value

    Source

    all

    Destination

    all

    Service

    FTP

  4. In the Then section, set the following options:

    GUI option

    Value

    Outgoing Interface

    any

    Shared Shaper

    Enable this option and select FTP from the drop-down menu.

    Reverse Shaper

    Enable this option and select FTP from the drop-down menu.

  5. Select OK.
Step 5: Create a traffic shaping policy for HTTP (FortiGate GUI)

We create a traffic shaping policy for HTTP and add the HTTP traffic shaper to it.

  1. Go to Policy & Objects > Traffic Shaping Policy.
  2. Select Create New.
  3. In the If Traffic Matches section, set the following options:

    GUI option

    Value

    Source

    all

    Destination

    all

    Service

    HTTP

  4. In the Then section, set the following options:

    GUI option

    Value

    Outgoing Interface

    any

    Shared Shaper

    Enable this option and select HTTP from the drop-down menu.

    Reverse Shaper

    Enable this option and select HTTP from the drop-down menu.

  5. Select OK.
  6. On the policy list page, move the FTP traffic shaping policy to the top of the list, and above the HTTP traffic shaping policy. Ensure that any other general Internet access policies are at the bottom of the policy list.

Example 2: Configuring QoS using ToS or DiffServ prioritization

In this example, we do the following:

  • Limit the bandwidth that each source interface accepts
  • Configure prioritized queuing on the destination interface based on the value of the ToS bit located in the IP header of each accepted packet

This sample configuration limits ingressing bandwidth to 500 Kbps. It also queues egressing traffic based upon the ToS bit in the IP header of ingressing packets. Unless specified for the packet’s ToS bit value, packets use the low priority queue (queue 2). For a ToS bit value of 4, the priority is specified as medium (value 1) and for a ToS bit value of 15, the priority is specified as high (value 0).

Step 1: Setting the inbandwidth limit (FortiGate CLI)

Type the following commands:

config system interface

edit wan1

set inbandwidth 500

next

end

Step 2: Configuring the global ToS priority value (FortiGate CLI)

Type the following commands:

config system global

set tos-based-priority low

end

Step 3: Configuring some ToS bit values differently than the global ToS priority value (FortiGate CLI)

Type the following commands:

config system tos-based-priority

edit 4

set tos 4

set priority medium

next

edit 15

set tos 15

set priority high

next

end

Example 3: Traffic shaping for VoIP

In this example, we create a traffic shaper and a traffic shaping policy for each type of traffic to meet the following network requirements:

  • Guarantee bandwidth for high-priority Voice over IP (VoIP) traffic
  • Throttle FTP traffic so FTP bursts are contained and don't consume all of the available bandwidth
  • Provide consistent bandwidth for email and web-based traffic

Creating the traffic shapers

Create traffic shapers that define the maximum bandwidth and guaranteed bandwidth for each type of traffic. To more effectively control traffic, some of the traffic shapers are applied per-policy and others are applied to all policies.

Step 1: Creating a traffic shaper for VoIP (FortiGate GUI)

Create a high priority traffic shaper for VoIP traffic. Setting the traffic shaper to per-policy ensures that regardless of the number of policies that use this traffic shaper, the defined bandwidth is always the same. At the same time, the bandwidth is continually guaranteed at 800 Kbps but, if available, can be as much as 1000 Kbps. Setting the priority to high ensures that the FortiGate considers VoIP traffic the most important.

  1. Go to Policy & Objects > Traffic Shapers.
  2. Select Create New.
  3. Set the Type field to Shared.
  4. In the Name field, type voip.
  5. Set the Traffic Priority field to High.
  6. Select the Max Bandwidth checkbox and type 1000 Kbps.
  7. Select the Guaranteed Bandwidth checkbox and type 800 Kbps.
  8. Select OK.
  9. Right-click the HTTP shaper and select Edit in CLI.
  10. In the FortiGate CLI, type the following commands:

set per-policy

end

Step 2: Creating a traffic shaper for FTP (FortiGate GUI)

Create a traffic shaper for FTP traffic that sets a maximum bandwidth, so that spikes caused by sudden uploading and downloading or large files don't interfere with more important traffic. The maximum and guaranteed bandwidth are set to a low value and to the same value. Setting the traffic priority to a low value ensures that more important traffic passes before FTP traffic.

  1. Go to Policy & Objects > Traffic Shapers.
  2. Select Create New.
  3. Set the Type field to Shared.
  4. In the Name field, type ftp.
  5. Set the Traffic Priority field to Low.
  6. Select the Max Bandwidth checkbox and type 200 Kbps.
  7. Select the Guaranteed Bandwidth checkbox and type 200 Kbps.
  8. Select OK.
Step 3: Creating a traffic shaper for regular traffic (FortiGate GUI)

Create a traffic shaper for regular traffic that sets the maximum bandwidth and guaranteed bandwidth for everyday business traffic, such as web and email traffic. For this traffic shaper, the maximum and guaranteed bandwidth are set to a moderate value of 600 Kbps.The traffic shaper is set per policy, which ensures that each security policy for day-to-day business traffic has the same distribution of bandwidth.

  1. Go to Policy & Objects > Traffic Shapers.
  2. Select Create New.
  3. Set the Type field to Shared.
  4. In the Name field, type daily_traffic.
  5. Set the Traffic Priority field to Medium.
  6. Select the Max Bandwidth checkbox and type 600 Kbps.
  7. Select the Guaranteed Bandwidth checkbox and type 600 Kbps.
  8. Select OK.

Creating traffic shaping policies

For the following steps, the VoIP traffic shaper is enabled as well as the reverse direction. This ensures that return traffic for a VoIP call has the same guaranteed bandwidth as the outgoing call. This example shows how to enable each traffic shaper in a traffic shaping policy. In this example, the traffic shaping policies apply traffic shaping to the following security policy:

GUI option

Value

Incoming Interface

lan (Internal interface)

Outgoing Interface

WAN1

Source

all

Destination

all

Schedule

always

Service

ALL

Action

ACCEPT

Step 1: Creating a traffic shaping policy for VoIP traffic (FortiGate GUI)
  1. Go to Policy & Objects > Traffic Shaping Policy.
  2. Select Create New.
  3. In the If Traffic Matches section, set the following options:

    GUI option

    Value

    Source

    all

    Destination

    all

    Service

    ALL

    Application Category

    VoIP

    Application

    SIP

    URL Category

    Internet Telephony

  4. In the Then section, set the following options:

    GUI option

    Value

    Outgoing Interface

    wan1

    Shared ShaperEnable this option and select voip from the drop-down menu.
    Reverse ShaperEnable this option and select voip from the drop-down menu.
  5. Select OK.
Step 2: Creating a traffic shaping policy for FTP traffic (FortiGate GUI)
  1. Go to Policy & Objects > Traffic Shaping Policy.
  2. Select Create New.
  3. In the If Traffic Matches section, set the following options:

    GUI option

    Value

    Source

    all

    Destination

    all

    Service

    FTP

  4. In the Then section, set the following options:

    GUI option

    Value

    Outgoing Interface

    wan1

    Shared Shaper

    Enable this option and select ftp from the drop-down menu.

    Reverse Shaper

    Enable this option and select ftp from the drop-down menu.

  5. Select OK.
Step 3: Creating a traffic shaping policy for regular traffic (FortiGate GUI)
  1. Go to Policy & Objects > Traffic Shaping Policy.
  2. Select Create New.
  3. In the If Traffic Matches section, set the following options:

    GUI option

    Value

    Source

    all

    Destination

    all

    Service

    ALL

  4. In the Then section, set the following options:

    GUI option

    Value

    Outgoing Interface

    wan1

    Shared Shaper

    Enable this option and select daily traffic from the drop-down menu.

    Reverse Shaper

    Enable this option and select daily traffic from the drop-down menu.

  5. Select OK.
Step 4: Ordering the traffic shaping policies (FortiGate GUI)
  1. Go to Policy & Objects > Traffic Shaping Policy.
  2. Move the high priority VoIP policy to the top of the policy list.
  3. Move the low priority FTP traffic shaper to the second policy in the list.
  4. Move the medium priority regular traffic shaper to the end of the list.

Traffic shaping examples

Traffic shaping examples

The following examples show simple QoS configurations that use prioritization by security policy and ToS bit.

Example 1: Configuring QoS using security policy prioritization

In this example, we do the following:

  • Limit the bandwidth that each source interface can accept
  • Limit the bandwidth used by sessions that are controlled by the security policy
  • Configure prioritized queuing on the destination interface, based on the priority in the security policy, and subject to alternative assignment to queue 0 when necessary to achieve the guaranteed packet rate

This sample configuration limits ingress bandwidth to 500 Kbps. It also applies separate traffic shapers to FTP and HTTP traffic. In addition to the interface bandwidth limit, HTTP traffic is subject to a security policy bandwidth limit of 200 Kbps. All egress FTP traffic greater than 10 Kbps is subject to a low priority queue (queue 3), while all egress HTTP traffic greater than 100 Kbps is subject to a medium priority queue (queue 2). This meant that unless FTP traffic rates are lower than their guaranteed rate and web traffic rates are greater than their guaranteed rate, FTP traffic is lower priority than web traffic. Traffic less than these guaranteed bandwidth rates use the highest priority queue (queue 0).

Step 1: Setting the inbandwidth limit (FortiGate CLI)

Type the following commands:

config system interface

edit wan1

set inbandwidth 500

next

end

Step 2: Creating a traffic shaper for FTP (FortiGate GUI)
  1. Go to Policy & Objects > Traffic Shapers
  2. Select Create New.
  3. Set the Type field to Shared.
  4. In the Name field, type FTP.
  5. Set the Traffic Priority field to Low.
  6. Select the Max Bandwidth checkbox and type 500Kbps.
  7. Select the Guaranteed Bandwidth checkbox and type 10Kbps.
  8. Select OK.
  9. Right-click the FTP traffic shaper and select Edit in CLI.
  10. Type the following CLI commands:

set per-policy

end

Step 3: Creating a traffic shaper for HTTP (FortiGate GUI)
  1. Go to Policy & Objects > Traffic Shapers.
  2. Select Create New.
  3. Set the Type field to Shared.
  4. In the Name field, type HTTP.
  5. Set the Traffic Priorityfield to Medium.
  6. Select the Max Bandwidth checkbox and type 200Kbps.
  7. Select the Guaranteed Bandwidth checkbox and type 100Kbps.
  8. Select OK.
  9. Right-click the HTTP traffic shaper and select Edit in CLI.
  10. In the FortiGate CLI, type the following commands:

set per-policy

end

Step 4: Creating a traffic shaping policy for FTP (FortiGate GUI)

We create a traffic shaping policy for FTP and add the FTP traffic shaper to it.

  1. Go to Policy & Objects > Traffic Shaping Policy.
  2. Select Create New.
  3. In the If Traffic Matches section, set the following options:

    GUI option

    Value

    Source

    all

    Destination

    all

    Service

    FTP

  4. In the Then section, set the following options:

    GUI option

    Value

    Outgoing Interface

    any

    Shared Shaper

    Enable this option and select FTP from the drop-down menu.

    Reverse Shaper

    Enable this option and select FTP from the drop-down menu.

  5. Select OK.
Step 5: Create a traffic shaping policy for HTTP (FortiGate GUI)

We create a traffic shaping policy for HTTP and add the HTTP traffic shaper to it.

  1. Go to Policy & Objects > Traffic Shaping Policy.
  2. Select Create New.
  3. In the If Traffic Matches section, set the following options:

    GUI option

    Value

    Source

    all

    Destination

    all

    Service

    HTTP

  4. In the Then section, set the following options:

    GUI option

    Value

    Outgoing Interface

    any

    Shared Shaper

    Enable this option and select HTTP from the drop-down menu.

    Reverse Shaper

    Enable this option and select HTTP from the drop-down menu.

  5. Select OK.
  6. On the policy list page, move the FTP traffic shaping policy to the top of the list, and above the HTTP traffic shaping policy. Ensure that any other general Internet access policies are at the bottom of the policy list.

Example 2: Configuring QoS using ToS or DiffServ prioritization

In this example, we do the following:

  • Limit the bandwidth that each source interface accepts
  • Configure prioritized queuing on the destination interface based on the value of the ToS bit located in the IP header of each accepted packet

This sample configuration limits ingressing bandwidth to 500 Kbps. It also queues egressing traffic based upon the ToS bit in the IP header of ingressing packets. Unless specified for the packet’s ToS bit value, packets use the low priority queue (queue 2). For a ToS bit value of 4, the priority is specified as medium (value 1) and for a ToS bit value of 15, the priority is specified as high (value 0).

Step 1: Setting the inbandwidth limit (FortiGate CLI)

Type the following commands:

config system interface

edit wan1

set inbandwidth 500

next

end

Step 2: Configuring the global ToS priority value (FortiGate CLI)

Type the following commands:

config system global

set tos-based-priority low

end

Step 3: Configuring some ToS bit values differently than the global ToS priority value (FortiGate CLI)

Type the following commands:

config system tos-based-priority

edit 4

set tos 4

set priority medium

next

edit 15

set tos 15

set priority high

next

end

Example 3: Traffic shaping for VoIP

In this example, we create a traffic shaper and a traffic shaping policy for each type of traffic to meet the following network requirements:

  • Guarantee bandwidth for high-priority Voice over IP (VoIP) traffic
  • Throttle FTP traffic so FTP bursts are contained and don't consume all of the available bandwidth
  • Provide consistent bandwidth for email and web-based traffic

Creating the traffic shapers

Create traffic shapers that define the maximum bandwidth and guaranteed bandwidth for each type of traffic. To more effectively control traffic, some of the traffic shapers are applied per-policy and others are applied to all policies.

Step 1: Creating a traffic shaper for VoIP (FortiGate GUI)

Create a high priority traffic shaper for VoIP traffic. Setting the traffic shaper to per-policy ensures that regardless of the number of policies that use this traffic shaper, the defined bandwidth is always the same. At the same time, the bandwidth is continually guaranteed at 800 Kbps but, if available, can be as much as 1000 Kbps. Setting the priority to high ensures that the FortiGate considers VoIP traffic the most important.

  1. Go to Policy & Objects > Traffic Shapers.
  2. Select Create New.
  3. Set the Type field to Shared.
  4. In the Name field, type voip.
  5. Set the Traffic Priority field to High.
  6. Select the Max Bandwidth checkbox and type 1000 Kbps.
  7. Select the Guaranteed Bandwidth checkbox and type 800 Kbps.
  8. Select OK.
  9. Right-click the HTTP shaper and select Edit in CLI.
  10. In the FortiGate CLI, type the following commands:

set per-policy

end

Step 2: Creating a traffic shaper for FTP (FortiGate GUI)

Create a traffic shaper for FTP traffic that sets a maximum bandwidth, so that spikes caused by sudden uploading and downloading or large files don't interfere with more important traffic. The maximum and guaranteed bandwidth are set to a low value and to the same value. Setting the traffic priority to a low value ensures that more important traffic passes before FTP traffic.

  1. Go to Policy & Objects > Traffic Shapers.
  2. Select Create New.
  3. Set the Type field to Shared.
  4. In the Name field, type ftp.
  5. Set the Traffic Priority field to Low.
  6. Select the Max Bandwidth checkbox and type 200 Kbps.
  7. Select the Guaranteed Bandwidth checkbox and type 200 Kbps.
  8. Select OK.
Step 3: Creating a traffic shaper for regular traffic (FortiGate GUI)

Create a traffic shaper for regular traffic that sets the maximum bandwidth and guaranteed bandwidth for everyday business traffic, such as web and email traffic. For this traffic shaper, the maximum and guaranteed bandwidth are set to a moderate value of 600 Kbps.The traffic shaper is set per policy, which ensures that each security policy for day-to-day business traffic has the same distribution of bandwidth.

  1. Go to Policy & Objects > Traffic Shapers.
  2. Select Create New.
  3. Set the Type field to Shared.
  4. In the Name field, type daily_traffic.
  5. Set the Traffic Priority field to Medium.
  6. Select the Max Bandwidth checkbox and type 600 Kbps.
  7. Select the Guaranteed Bandwidth checkbox and type 600 Kbps.
  8. Select OK.

Creating traffic shaping policies

For the following steps, the VoIP traffic shaper is enabled as well as the reverse direction. This ensures that return traffic for a VoIP call has the same guaranteed bandwidth as the outgoing call. This example shows how to enable each traffic shaper in a traffic shaping policy. In this example, the traffic shaping policies apply traffic shaping to the following security policy:

GUI option

Value

Incoming Interface

lan (Internal interface)

Outgoing Interface

WAN1

Source

all

Destination

all

Schedule

always

Service

ALL

Action

ACCEPT

Step 1: Creating a traffic shaping policy for VoIP traffic (FortiGate GUI)
  1. Go to Policy & Objects > Traffic Shaping Policy.
  2. Select Create New.
  3. In the If Traffic Matches section, set the following options:

    GUI option

    Value

    Source

    all

    Destination

    all

    Service

    ALL

    Application Category

    VoIP

    Application

    SIP

    URL Category

    Internet Telephony

  4. In the Then section, set the following options:

    GUI option

    Value

    Outgoing Interface

    wan1

    Shared ShaperEnable this option and select voip from the drop-down menu.
    Reverse ShaperEnable this option and select voip from the drop-down menu.
  5. Select OK.
Step 2: Creating a traffic shaping policy for FTP traffic (FortiGate GUI)
  1. Go to Policy & Objects > Traffic Shaping Policy.
  2. Select Create New.
  3. In the If Traffic Matches section, set the following options:

    GUI option

    Value

    Source

    all

    Destination

    all

    Service

    FTP

  4. In the Then section, set the following options:

    GUI option

    Value

    Outgoing Interface

    wan1

    Shared Shaper

    Enable this option and select ftp from the drop-down menu.

    Reverse Shaper

    Enable this option and select ftp from the drop-down menu.

  5. Select OK.
Step 3: Creating a traffic shaping policy for regular traffic (FortiGate GUI)
  1. Go to Policy & Objects > Traffic Shaping Policy.
  2. Select Create New.
  3. In the If Traffic Matches section, set the following options:

    GUI option

    Value

    Source

    all

    Destination

    all

    Service

    ALL

  4. In the Then section, set the following options:

    GUI option

    Value

    Outgoing Interface

    wan1

    Shared Shaper

    Enable this option and select daily traffic from the drop-down menu.

    Reverse Shaper

    Enable this option and select daily traffic from the drop-down menu.

  5. Select OK.
Step 4: Ordering the traffic shaping policies (FortiGate GUI)
  1. Go to Policy & Objects > Traffic Shaping Policy.
  2. Move the high priority VoIP policy to the top of the policy list.
  3. Move the low priority FTP traffic shaper to the second policy in the list.
  4. Move the medium priority regular traffic shaper to the end of the list.