Fortinet Document Library

Version:


Table of Contents

On This Page

Traffic classification
Traffic prioritization
Applying a shaping profile to an interface

Related Videos

Interface Based Traffic Shaping

  • 1,015 views
  • 4 months ago

Cookbook

6.2.0
Download PDF
Copy Link

Interface-based traffic shaping profile

A traffic shaping policy can be used for interface-based traffic shaping by organizing traffic into 30 groups. The shaping profile defines the percentage of the interface bandwidth that is allocated to each group. Each traffic group is shaped to the assigned speed according to the outgoing bandwidth limit configured to the interface.

Traffic classification

A shaping policy classifies traffic and organizes it into different groups, or class IDs, based on matching criteria. For traffic matching a criteria, you can choose to put it into 30 different shaping groups, identified by group ID 2 to 31.

You must select an outgoing interface for the traffic. The shaping policy is only applied when the traffic goes to one of the selected outgoing interfaces.

Criterion

Description

Source

  • Address: match the source address of the traffic to the selected address or address group.
  • User: use the user credentials of the traffic to match the selected user or user group. At least one address, address group, or internet service must also be selected.
  • Internet service: match the traffic to the selected internet service. Internet services cannot be used if addresses or address or groups are used.

Destination

  • Address: match the destination address of the traffic to the selected address or address group.
  • Internet service: match the traffic to the selected internet service. Internet services cannot be used if addresses or address or groups are used.

Schedule

Match the current date and time to the selected schedule. You can select a one-time schedule, recurring schedule, or schedule group. This setting is optional.

Service

Match the service of the traffic to the selected service or service group.

Application

Match the application of the traffic to the selected application, application category, or application group.

Application control must be enabled in the related firewall policy to know the application of the traffic. See Application control for more information.

URL category

Match the URL of the traffic to the selected URL category.

Web filter must be enabled in the related firewall policy to know the URL of the traffic. See Web filter for more information.

Note

When multiple items are selected in one criterion, it is considered a match when traffic matches any one of them.

Traffic prioritization

Shaping profiles define how different shaping groups or classes of traffic are prioritized. For each group or class, you can define three prioritization strategies: guaranteed bandwidth, maximum bandwidth, and priority.

For each shaping profile, a default shaping group must be defined. Traffic is prioritized based on the default shaping group in the following two circumstances:

  • All traffic to the outgoing interface that does not match to any shaping policy
  • Traffic with a shaping group that is not defined in a shaping profile

Prioritization strategy

Description

Guaranteed bandwidth

The percentage of the link speed that is reserved for the shaping group.

The total guaranteed bandwidth for all shaping groups cannot exceed 100%.

Maximum bandwidth

The maximum percentage of the link speed that the shaping group can use.

Priority

The shaping group priority: top, critical, high, medium, or low. When groups are competing for bandwidth on the interface, the group with the higher priority wins.

Applying a shaping profile to an interface

Traffic shaping is accomplished by configuring the outgoing bandwidth and outgoing shaping profile on an interface. The shaping profile uses the outgoing bandwidth of the interface as the maximum link speed, and it only works when the outgoing bandwidth is configured.

This example shows how to apply interface-based traffic shaping to web and file accessing traffic according to a schedule:

  • The link speed of the wan1 interface is 10 Mb/s.
  • File access can use up to 2 Mb/s from 8:00 AM to 6:00 PM.
  • Web access can use 8 Mb/s from 8:00 AM to 6:00 PM.

Putting the traffic into shaping groups

To create a recurring schedule using the GUI:
  1. Go to Policy & Objects > Schedules.
  2. Click Create New > Schedule.
  3. Configure a recurring schedule called Day_Hours for everyday from 8:00 AM to 6:00 PM.
  4. Click OK.
To put the web accessing traffic into a shaping group using the GUI:
  1. Go to Policy & Objects > Traffic Shaping Policy.
  2. Click Create New.
  3. Enable Schedule and select the schedule you just created.
  4. Set Service to web accessing services, such as HTTP and HTTPS.
  5. Set Action to Assign Group, then set Outgoing interface to wan1 and Shaping group to 10.

  6. Configure the remaining settings as required.
  7. Click OK.
To put the file accessing traffic into a shaping group using the GUI:
  1. Go to Policy & Objects > Traffic Shaping Policy.
  2. Click Create New.
  3. Enable Schedule and select the schedule you just created.
  4. Set Service to file accessing services, such as FTP and SMB.
  5. Set Action to Assign Group, then set Outgoing interface to wan1 and Shaping group to 20.

  6. Configure the remaining settings as required.
  7. Click OK.
To put the traffic into shaping groups using the CLI:
  1. Create a recurring schedule:
    config firewall schedule recurring
        edit "Day_Hours"
            set start 08:00
            set end 18:00
            set day sunday monday tuesday wednesday thursday friday saturday
        next
    end
  2. Put the web and file accessing traffic into shaping groups:
    config firewall shaping-policy
        edit 2
            set name "web_access_day_hours"
            set comment "To limit web accessing traffic to 8Mb/s on day time"
            set service "HTTP" "HTTPS"
            set schedule "Day_Hours"
            set dstintf "wan1"
            set class-id 10
            set srcaddr "all"
            set dstaddr "all"
        next
        edit 3
            set name "File_access_day_hours"
            set comment "To limit file accessing traffic to 2Mb/s on day time"
            set service "AFS3" "FTP" "FTP_GET" "FTP_PUT" "NFS" "SAMBA" "SMB" "TFTP"
            set schedule "Day_Hours"
            set dstintf "wan1"
            set class-id 20
            set srcaddr "all"
            set dstaddr "all"
        next
    end

Allocating bandwidth to the shaping groups

A traffic shaping profile defines the guaranteed and maximum bandwidths each group receives. File access can use up to 2 Mb/s, and web access can use 8 Mb/s from 8:00 AM to 6:00 PM.

To create a traffic shaping profile using the GUI:
  1. Go to Policy & Objects > Traffic Shaping Profile.
  2. Click Create New.
  3. Configure the default shaping group (30) for all traffic from wan1 that does not match the shaping policy.

    This group has a high priority, meaning that when the other groups have reached their guaranteed bandwidths, this default group will use the rest of the available bandwidth.

  4. Under Additional Shaping Groups, click the plus icon twice to add two more shaping groups.
  5. Configure shaping group 10 for web accessing traffic. Set the priority to medium.

    When other types of traffic are competing for bandwidth, this group is guaranteed to 6 Mb/s, or 60% of the bandwidth.

  6. Configure shaping group 20 for file accessing traffic. Set the priority to medium.

    When other types of traffic are competing for bandwidth, this group is guaranteed to 1 Mb/s, or 10% of the bandwidth.

  7. Click OK.
To create a traffic shaping profile using the CLI:
config firewall shaping-profile
    edit "Day_Hours_Profile"
        set default-class-id 30
        config shaping-entries
            edit 1
                set class-id 30
                set guaranteed-bandwidth-percentage 30
                set maximum-bandwidth-percentage 100
            next
            edit 2
                set class-id 10
                set priority medium
                set guaranteed-bandwidth-percentage 60
                set maximum-bandwidth-percentage 80
            next
            edit 3
                set class-id 20
                set priority medium
                set guaranteed-bandwidth-percentage 10
                set maximum-bandwidth-percentage 20
            next
        end
    next
end

Defining the available bandwidth on an interface

The link speed of the wan1 interface is 10 Mb/s.

To set the bandwidth of the wan1 interface using the GUI:
  1. Go to Network > Interfaces.
  2. Edit the wan1 interface.
  3. Enable Outbound shaping profile and select the profile you just created, Day_Hours_Profile.
  4. Enable Outbound Bandwidth and set it to 10000 Kbps.

  5. Click OK.
To set the bandwidth of the wan1 interface using the CLI:
config system interface
    edit "wan1"
        ....
        set outbandwidth 10000
        set egress-shaping-profile "Day_Hours_Profile"
        ....
    next
end

Diagnose commands

To check that the specific traffic is put into the correct shaping group or class ID:
# diagnose firewall iprope list 100015

policy index=2 uuid_idx=0 action=accept
flag (0):
schedule(Day_Hours)
cos_fwd=0  cos_rev=0
group=00100015 av=00000000 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0 dd_type=0 dd_mode=0
zone(1): 0 -> zone(1): 25
source(1): 0.0.0.0-255.255.255.255, uuid_idx=6,
dest(1): 0.0.0.0-255.255.255.255, uuid_idx=6,
service(2):
        [6:0x0:0/(1,65535)->(80,80)] helper:auto
        [6:0x0:0/(1,65535)->(443,443)] helper:auto
class_id: 10

policy index=3 uuid_idx=0 action=accept
flag (0):
schedule(Day_Hours)
cos_fwd=0  cos_rev=0
group=00100015 av=00000000 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0 dd_type=0 dd_mode=0
zone(1): 0 -> zone(1): 25
source(1): 0.0.0.0-255.255.255.255, uuid_idx=6,
dest(1): 0.0.0.0-255.255.255.255, uuid_idx=6,
service(12):
        [6:0x0:0/(1,65535)->(7000,7009)] helper:auto
        [17:0x0:0/(1,65535)->(7000,7009)] helper:auto
        [6:0x0:0/(1,65535)->(21,21)] helper:auto
        [6:0x0:0/(1,65535)->(21,21)] helper:auto
        [6:0x0:0/(1,65535)->(21,21)] helper:auto
        [6:0x0:0/(1,65535)->(111,111)] helper:auto
        [6:0x0:0/(1,65535)->(2049,2049)] helper:auto
        [17:0x0:0/(1,65535)->(111,111)] helper:auto
        [17:0x0:0/(1,65535)->(2049,2049)] helper:auto
        [6:0x0:0/(1,65535)->(139,139)] helper:auto
        [6:0x0:0/(1,65535)->(445,445)] helper:auto
        [17:0x0:0/(1,65535)->(69,69)] helper:auto
class_id: 20
To check the speed limit for each class ID on an interface:
# diagnose netlink interface list wan1

if=wan1 family=00 type=1 index=25 mtu=1500 link=0 master=0
ref=32 state=off start fw_flags=0 flags=up broadcast run allmulti multicast
Qdisc=mq hw_addr=90:6c:ac:13:ec:e0 broadcast_addr=ff:ff:ff:ff:ff:ff
egress traffic control:
        bandwidth=10000(kbps) lock_hit=0 default_class=30 n_active_class=3
        class-id=20     allocated-bandwidth=1000(kbps)  guaranteed-bandwidth=1000(kbps)
                        max-bandwidth=2000(kbps)        current-bandwidth=0(kbps)
                        priority=medium         total_bytes=0   drop_bytes=0
        class-id=10     allocated-bandwidth=6000(kbps)  guaranteed-bandwidth=6000(kbps)
                        max-bandwidth=8000(kbps)        current-bandwidth=0(kbps)
                        priority=medium         total_bytes=0   drop_bytes=0
        class-id=30     allocated-bandwidth=3000(kbps)  guaranteed-bandwidth=3000(kbps)
                        max-bandwidth=10000(kbps)       current-bandwidth=5(kbps)
                        priority=high   total_bytes=136K        drop_bytes=0
stat: rxp=9492 txp=8116 rxb=2761067 txb=4702526 rxe=0 txe=0 rxd=0 txd=0 mc=960 collision=0
re: rxl=0 rxo=0 rxc=0 rxf=0 rxfi=0 rxm=0
te: txa=0 txc=0 txfi=0 txh=0 txw=0
misc rxc=0 txc=0
input_type=0 state=3 arp_entry=0 refcnt=32

On This Page

Related Videos

Interface Based Traffic Shaping

  • 1,015 views
  • 4 months ago

Interface-based traffic shaping profile

A traffic shaping policy can be used for interface-based traffic shaping by organizing traffic into 30 groups. The shaping profile defines the percentage of the interface bandwidth that is allocated to each group. Each traffic group is shaped to the assigned speed according to the outgoing bandwidth limit configured to the interface.

Traffic classification

A shaping policy classifies traffic and organizes it into different groups, or class IDs, based on matching criteria. For traffic matching a criteria, you can choose to put it into 30 different shaping groups, identified by group ID 2 to 31.

You must select an outgoing interface for the traffic. The shaping policy is only applied when the traffic goes to one of the selected outgoing interfaces.

Criterion

Description

Source

  • Address: match the source address of the traffic to the selected address or address group.
  • User: use the user credentials of the traffic to match the selected user or user group. At least one address, address group, or internet service must also be selected.
  • Internet service: match the traffic to the selected internet service. Internet services cannot be used if addresses or address or groups are used.

Destination

  • Address: match the destination address of the traffic to the selected address or address group.
  • Internet service: match the traffic to the selected internet service. Internet services cannot be used if addresses or address or groups are used.

Schedule

Match the current date and time to the selected schedule. You can select a one-time schedule, recurring schedule, or schedule group. This setting is optional.

Service

Match the service of the traffic to the selected service or service group.

Application

Match the application of the traffic to the selected application, application category, or application group.

Application control must be enabled in the related firewall policy to know the application of the traffic. See Application control for more information.

URL category

Match the URL of the traffic to the selected URL category.

Web filter must be enabled in the related firewall policy to know the URL of the traffic. See Web filter for more information.

Note

When multiple items are selected in one criterion, it is considered a match when traffic matches any one of them.

Traffic prioritization

Shaping profiles define how different shaping groups or classes of traffic are prioritized. For each group or class, you can define three prioritization strategies: guaranteed bandwidth, maximum bandwidth, and priority.

For each shaping profile, a default shaping group must be defined. Traffic is prioritized based on the default shaping group in the following two circumstances:

  • All traffic to the outgoing interface that does not match to any shaping policy
  • Traffic with a shaping group that is not defined in a shaping profile

Prioritization strategy

Description

Guaranteed bandwidth

The percentage of the link speed that is reserved for the shaping group.

The total guaranteed bandwidth for all shaping groups cannot exceed 100%.

Maximum bandwidth

The maximum percentage of the link speed that the shaping group can use.

Priority

The shaping group priority: top, critical, high, medium, or low. When groups are competing for bandwidth on the interface, the group with the higher priority wins.

Applying a shaping profile to an interface

Traffic shaping is accomplished by configuring the outgoing bandwidth and outgoing shaping profile on an interface. The shaping profile uses the outgoing bandwidth of the interface as the maximum link speed, and it only works when the outgoing bandwidth is configured.

This example shows how to apply interface-based traffic shaping to web and file accessing traffic according to a schedule:

  • The link speed of the wan1 interface is 10 Mb/s.
  • File access can use up to 2 Mb/s from 8:00 AM to 6:00 PM.
  • Web access can use 8 Mb/s from 8:00 AM to 6:00 PM.

Putting the traffic into shaping groups

To create a recurring schedule using the GUI:
  1. Go to Policy & Objects > Schedules.
  2. Click Create New > Schedule.
  3. Configure a recurring schedule called Day_Hours for everyday from 8:00 AM to 6:00 PM.
  4. Click OK.
To put the web accessing traffic into a shaping group using the GUI:
  1. Go to Policy & Objects > Traffic Shaping Policy.
  2. Click Create New.
  3. Enable Schedule and select the schedule you just created.
  4. Set Service to web accessing services, such as HTTP and HTTPS.
  5. Set Action to Assign Group, then set Outgoing interface to wan1 and Shaping group to 10.

  6. Configure the remaining settings as required.
  7. Click OK.
To put the file accessing traffic into a shaping group using the GUI:
  1. Go to Policy & Objects > Traffic Shaping Policy.
  2. Click Create New.
  3. Enable Schedule and select the schedule you just created.
  4. Set Service to file accessing services, such as FTP and SMB.
  5. Set Action to Assign Group, then set Outgoing interface to wan1 and Shaping group to 20.

  6. Configure the remaining settings as required.
  7. Click OK.
To put the traffic into shaping groups using the CLI:
  1. Create a recurring schedule:
    config firewall schedule recurring
        edit "Day_Hours"
            set start 08:00
            set end 18:00
            set day sunday monday tuesday wednesday thursday friday saturday
        next
    end
  2. Put the web and file accessing traffic into shaping groups:
    config firewall shaping-policy
        edit 2
            set name "web_access_day_hours"
            set comment "To limit web accessing traffic to 8Mb/s on day time"
            set service "HTTP" "HTTPS"
            set schedule "Day_Hours"
            set dstintf "wan1"
            set class-id 10
            set srcaddr "all"
            set dstaddr "all"
        next
        edit 3
            set name "File_access_day_hours"
            set comment "To limit file accessing traffic to 2Mb/s on day time"
            set service "AFS3" "FTP" "FTP_GET" "FTP_PUT" "NFS" "SAMBA" "SMB" "TFTP"
            set schedule "Day_Hours"
            set dstintf "wan1"
            set class-id 20
            set srcaddr "all"
            set dstaddr "all"
        next
    end

Allocating bandwidth to the shaping groups

A traffic shaping profile defines the guaranteed and maximum bandwidths each group receives. File access can use up to 2 Mb/s, and web access can use 8 Mb/s from 8:00 AM to 6:00 PM.

To create a traffic shaping profile using the GUI:
  1. Go to Policy & Objects > Traffic Shaping Profile.
  2. Click Create New.
  3. Configure the default shaping group (30) for all traffic from wan1 that does not match the shaping policy.

    This group has a high priority, meaning that when the other groups have reached their guaranteed bandwidths, this default group will use the rest of the available bandwidth.

  4. Under Additional Shaping Groups, click the plus icon twice to add two more shaping groups.
  5. Configure shaping group 10 for web accessing traffic. Set the priority to medium.

    When other types of traffic are competing for bandwidth, this group is guaranteed to 6 Mb/s, or 60% of the bandwidth.

  6. Configure shaping group 20 for file accessing traffic. Set the priority to medium.

    When other types of traffic are competing for bandwidth, this group is guaranteed to 1 Mb/s, or 10% of the bandwidth.

  7. Click OK.
To create a traffic shaping profile using the CLI:
config firewall shaping-profile
    edit "Day_Hours_Profile"
        set default-class-id 30
        config shaping-entries
            edit 1
                set class-id 30
                set guaranteed-bandwidth-percentage 30
                set maximum-bandwidth-percentage 100
            next
            edit 2
                set class-id 10
                set priority medium
                set guaranteed-bandwidth-percentage 60
                set maximum-bandwidth-percentage 80
            next
            edit 3
                set class-id 20
                set priority medium
                set guaranteed-bandwidth-percentage 10
                set maximum-bandwidth-percentage 20
            next
        end
    next
end

Defining the available bandwidth on an interface

The link speed of the wan1 interface is 10 Mb/s.

To set the bandwidth of the wan1 interface using the GUI:
  1. Go to Network > Interfaces.
  2. Edit the wan1 interface.
  3. Enable Outbound shaping profile and select the profile you just created, Day_Hours_Profile.
  4. Enable Outbound Bandwidth and set it to 10000 Kbps.

  5. Click OK.
To set the bandwidth of the wan1 interface using the CLI:
config system interface
    edit "wan1"
        ....
        set outbandwidth 10000
        set egress-shaping-profile "Day_Hours_Profile"
        ....
    next
end

Diagnose commands

To check that the specific traffic is put into the correct shaping group or class ID:
# diagnose firewall iprope list 100015

policy index=2 uuid_idx=0 action=accept
flag (0):
schedule(Day_Hours)
cos_fwd=0  cos_rev=0
group=00100015 av=00000000 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0 dd_type=0 dd_mode=0
zone(1): 0 -> zone(1): 25
source(1): 0.0.0.0-255.255.255.255, uuid_idx=6,
dest(1): 0.0.0.0-255.255.255.255, uuid_idx=6,
service(2):
        [6:0x0:0/(1,65535)->(80,80)] helper:auto
        [6:0x0:0/(1,65535)->(443,443)] helper:auto
class_id: 10

policy index=3 uuid_idx=0 action=accept
flag (0):
schedule(Day_Hours)
cos_fwd=0  cos_rev=0
group=00100015 av=00000000 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0 dd_type=0 dd_mode=0
zone(1): 0 -> zone(1): 25
source(1): 0.0.0.0-255.255.255.255, uuid_idx=6,
dest(1): 0.0.0.0-255.255.255.255, uuid_idx=6,
service(12):
        [6:0x0:0/(1,65535)->(7000,7009)] helper:auto
        [17:0x0:0/(1,65535)->(7000,7009)] helper:auto
        [6:0x0:0/(1,65535)->(21,21)] helper:auto
        [6:0x0:0/(1,65535)->(21,21)] helper:auto
        [6:0x0:0/(1,65535)->(21,21)] helper:auto
        [6:0x0:0/(1,65535)->(111,111)] helper:auto
        [6:0x0:0/(1,65535)->(2049,2049)] helper:auto
        [17:0x0:0/(1,65535)->(111,111)] helper:auto
        [17:0x0:0/(1,65535)->(2049,2049)] helper:auto
        [6:0x0:0/(1,65535)->(139,139)] helper:auto
        [6:0x0:0/(1,65535)->(445,445)] helper:auto
        [17:0x0:0/(1,65535)->(69,69)] helper:auto
class_id: 20
To check the speed limit for each class ID on an interface:
# diagnose netlink interface list wan1

if=wan1 family=00 type=1 index=25 mtu=1500 link=0 master=0
ref=32 state=off start fw_flags=0 flags=up broadcast run allmulti multicast
Qdisc=mq hw_addr=90:6c:ac:13:ec:e0 broadcast_addr=ff:ff:ff:ff:ff:ff
egress traffic control:
        bandwidth=10000(kbps) lock_hit=0 default_class=30 n_active_class=3
        class-id=20     allocated-bandwidth=1000(kbps)  guaranteed-bandwidth=1000(kbps)
                        max-bandwidth=2000(kbps)        current-bandwidth=0(kbps)
                        priority=medium         total_bytes=0   drop_bytes=0
        class-id=10     allocated-bandwidth=6000(kbps)  guaranteed-bandwidth=6000(kbps)
                        max-bandwidth=8000(kbps)        current-bandwidth=0(kbps)
                        priority=medium         total_bytes=0   drop_bytes=0
        class-id=30     allocated-bandwidth=3000(kbps)  guaranteed-bandwidth=3000(kbps)
                        max-bandwidth=10000(kbps)       current-bandwidth=5(kbps)
                        priority=high   total_bytes=136K        drop_bytes=0
stat: rxp=9492 txp=8116 rxb=2761067 txb=4702526 rxe=0 txe=0 rxd=0 txd=0 mc=960 collision=0
re: rxl=0 rxo=0 rxc=0 rxf=0 rxfi=0 rxm=0
te: txa=0 txc=0 txfi=0 txh=0 txw=0
misc rxc=0 txc=0
input_type=0 state=3 arp_entry=0 refcnt=32