Fortinet Document Library

Version:


Table of Contents

Cookbook

6.2.0
Download PDF
Copy Link

Shared traffic shaper

Shared traffic shaper is used in a firewall shaping policy to indicate the priority and guaranteed and maximum bandwidth for a specified type of traffic use.

The maximum bandwidth indicates the largest amount of traffic allowed when using the policy. You can set the maximum bandwidth to a value between 1 and 16776000 Kbps. The GUI displays an error if any value outside this range is used. If you want to allow unlimited bandwidth, use the CLI to enter a value of 0.

The guaranteed bandwidth ensures that there is a consistent reserved bandwidth available. When setting the guaranteed bandwidth, ensure that the value is significantly less than the interface's bandwidth capacity. Otherwise, the interface will allow very little or no other traffic to pass through, potentially causing unwanted latency.

In a shared traffic shaper, the administrator can prioritize certain traffic as high, medium, or low. FortiOS provides bandwidth to low priority connections only when high priority connections do not need the bandwidth. For example, you should assign a high traffic priority to a policy for connecting a secure web server that needs to support e-commerce traffic. You should assign less important services a low priority.

When you configure a shared traffic shaper, you can apply bandwidth shaping per policy or for all policies. By default, a shared traffic shaper applies traffic shaping evenly to all policies that use the shared traffic shaper.

When configuring a per-policy traffic shaper, FortiOS applies the traffic shaping rules defined for each security policy individually. For example, if a per-policy traffic shaper is configured with a maximum bandwidth of 1000 Kbps, any security policies that have that traffic shaper enabled get 1000 Kbps of bandwidth each.

If a traffic shaper for all policies is configured with a maximum bandwidth of 1000 Kbps, all policies share the 1000 Kbps on a first-come, first-served basis.

The configuration is as follows:

config firewall shaper traffic-shaper

edit "traffic_shaper_name"

set per-policy enable

next

end

The shared traffic shaper selected in the traffic shaping policy affects traffic in the direction defined in the policy. For example, if the source port is LAN and the destination is WAN1, the traffic shaping affects the flow in this direction only, affecting the outbound traffic's upload speed. You can define the traffic shaper for the policy in the opposite direction (reverse shaper) to affect the inbound traffic's download speed. In this example, that would be from WAN1 to LAN.

The following example shows how to apply different speeds to different types of service. The example configures two shared traffic shapers to use in two firewall shaping policies. One policy guarantees a speed of 10 Mbps for VoIP traffic. The other policy guarantees a speed of 1 Mbps for other traffic. In the example, FortiOS communicates with a PC using port10 and the Internet using port9.

To configure shared traffic shapers in the FortiOS GUI:
  1. Create a firewall policy:
    1. Go to Policy & Objects > IPv4 Policy. Click Create New.
    2. In the Name field, enter Internet Access.
    3. From the Incoming Interface dropdown list, select port10.
    4. From the Outgoing Interface dropdown list, select port9.
    5. For the Source and Destination fields, select all.
    6. From the Schedule dropdown list, select always.
    7. For the Service field, select ALL.
    8. Click OK.
  2. Create the shared traffic shapers:
    1. Go to Policy & Objects > Traffic Shapers. Click Create New.
    2. In the Name field, enter 10Mbps. This shaper is for VoIP traffic.
    3. From the Traffic Priority dropdown list, select High.
    4. Enable Max Bandwidth and enter 20000. This equates to 20 Mbps.
    5. Enable Guaranteed Bandwidth and enter 10000. This equates to 10 Mbps.
    6. Click OK.
    7. Repeat the process above to create another traffic shaper named 1Mbps. Set the Traffic Priority to Low, the Max Bandwidth to 10000, and the Guaranteed Bandwidth to 1000.
  3. Create a firewall shaping policy:
    1. Go to Policy & Objects > Traffic Shaping Policy. Click Create New.
    2. In the Name field, enter VoIP_10Mbps_High. This policy is for VoIP traffic.
    3. For the Source and Destination fields, select all.
    4. For the Service field, select all VoIP services.
    5. For the Outgoing Interface field, select port9.
    6. Enable Shared shaper. Select 10Mbps from the dropdown list.
    7. Enable Reverse shaper. Select 10Mbps from the dropdown list.
    8. Click OK.
    9. Repeat the process above to create a firewall shaping policy named Other_1Mbps_Low for other traffic. Set the Source and Destination to all, Service to ALL, Outgoing Interface to port9, and Shared shaper and Reverse shaper to 1Mbps.
To configure shared traffic shapers using the FortiOS CLI:
  1. Create a firewall policy:

    config firewall policy

    edit 1

    set name "Internet Access"

    set srcintf "port10"

    set dstintf "port9"

    set srcaddr "all"

    set dstaddr "all"

    set action accept

    set schedule "always"

    set service "ALL"

    set fsso disable

    set nat enable

    next

    end

  2. Create the shared traffic shapers:

    config firewall shaper traffic-shaper

    edit "10Mbps"

    set guaranteed-bandwidth 10000

    set maximum-bandwidth 20000

    next

    edit "1Mbps"

    set guaranteed-bandwidth 1000

    set maximum-bandwidth 10000

    set priority low

    next

    end

  3. Create a firewall shaping policy:

    config firewall shaping-policy

    edit 1

    set name "VOIP_10Mbps_High"

    set service "H323" "IRC" "MS-SQL" "MYSQL" "RTSP" "SCCP" "SIP" "SIP-MSNmessenger"

    set dstintf "port9"

    set traffic-shaper "10Mbps"

    set traffic-shaper-reverse "10Mbps"

    set srcaddr "all"

    set dstaddr "all"

    next

    edit 2

    set name "Other_1Mbps_Low"

    set service "ALL"

    set dstintf "port9"

    set traffic-shaper "1Mbps"

    set traffic-shaper-reverse "1Mbps"

    set srcaddr "all"

    set dstaddr "all"

    next

    end

To troubleshoot shared traffic shapers:
  1. To check if specific traffic is attached to the correct traffic shaper, run the diagnose firewall iprope list 100015 command. The example output shows the traffic attached to the 10Mbps and 1Mbps shapers:

    # diagnose firewall iprope list 100015

     

    policy index=1 uuid_idx=0 action=accept

    flag (0):

    shapers: orig=10Mbps(2/1280000/2560000)

    cos_fwd=0 cos_rev=0

    group=00100015 av=00000000 au=00000000 split=00000000

    host=4 chk_client_info=0x0 app_list=0 ips_view=0

    misc=0 dd_type=0 dd_mode=0

    zone(1): 0 -> zone(1): 38

    source(1): 0.0.0.0-255.255.255.255, uuid_idx=0,

    dest(1): 0.0.0.0-255.255.255.255, uuid_idx=0,

    service(15):

    [6:0x0:0/(1,65535)->(1720,1720)] helper:auto

    [6:0x0:0/(1,65535)->(1503,1503)] helper:auto

    [17:0x0:0/(1,65535)->(1719,1719)] helper:auto

    [6:0x0:0/(1,65535)->(6660,6669)] helper:auto

    [6:0x0:0/(1,65535)->(1433,1433)] helper:auto

    [6:0x0:0/(1,65535)->(1434,1434)] helper:auto

    [6:0x0:0/(1,65535)->(3306,3306)] helper:auto

    [6:0x0:0/(1,65535)->(554,554)] helper:auto

    [6:0x0:0/(1,65535)->(7070,7070)] helper:auto

    [6:0x0:0/(1,65535)->(8554,8554)] helper:auto

    [17:0x0:0/(1,65535)->(554,554)] helper:auto

    [6:0x0:0/(1,65535)->(2000,2000)] helper:auto

    [6:0x0:0/(1,65535)->(5060,5060)] helper:auto

    [17:0x0:0/(1,65535)->(5060,5060)] helper:auto

    [6:0x0:0/(1,65535)->(1863,1863)] helper:auto

     

    policy index=2 uuid_idx=0 action=accept

    flag (0):

    shapers: orig=1Mbps(4/128000/1280000)

    cos_fwd=0 cos_rev=0

    group=00100015 av=00000000 au=00000000 split=00000000

    host=4 chk_client_info=0x0 app_list=0 ips_view=0

    misc=0 dd_type=0 dd_mode=0

    zone(1): 0 -> zone(1): 38

    source(1): 0.0.0.0-255.255.255.255, uuid_idx=0,

    dest(1): 0.0.0.0-255.255.255.255, uuid_idx=0,

    service(1):

    [0:0x0:0/(0,0)->(0,0)] helper:auto

  2. To check if the correct traffic shaper is applied to the session, run the diagnose sys session list command. The example output shows that the 1Mbps shaper is applied to the session:

    # diagnose sys session list

    session info: proto=6 proto_state=01 duration=11 expire=3599 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=5

    origin-shaper=1Mbps prio=4 guarantee 128000Bps max 1280000Bps traffic 1050Bps drops 0B

    reply-shaper=

    per_ip_shaper=

    class_id=0 shaping_policy_id=2 ha_id=0 policy_dir=0 tunnel=/ helper=ftp vlan_cos=0/255

    state=may_dirty npu npd os mif route_preserve

    statistic(bytes/packets/allow_err): org=868/15/1 reply=752/10/1 tuples=2

    tx speed(Bps/kbps): 76/0 rx speed(Bps/kbps): 66/0

    orgin->sink: org pre->post, reply pre->post dev=39->38/38->39 gwy=172.16.200.55/0.0.0.0

    hook=post dir=org act=snat 10.1.100.11:58241->172.16.200.55:21(172.16.200.1:58241)

    hook=pre dir=reply act=dnat 172.16.200.55:21->172.16.200.1:58241(10.1.100.11:58241)

    pos/(before,after) 0/(0,0), 0/(0,0)

    misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=4

    serial=0003255f tos=ff/ff app_list=0 app=0 url_cat=0

    rpdb_link_id = 00000000

    dd_type=0 dd_mode=0

    npu_state=0x100000

    npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000

    vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0

    no_ofld_reason: offload-denied helper

    total session 1

  3. To check statuses of shared traffic shapers, run the diagnose firewall shaper traffic-shaper list command. The output should resemble the following:

    # diagnose firewall shaper traffic-shaper list

     

    name 10Mbps

    maximum-bandwidth 2500 KB/sec

    guaranteed-bandwidth 1250 KB/sec

    current-bandwidth 0 B/sec

    priority 2

    tos ff

    packets dropped 0

    bytes dropped 0

     

    name 1Mbps

    maximum-bandwidth 1250 KB/sec

    guaranteed-bandwidth 125 KB/sec

    current-bandwidth 0 B/sec

    priority 4

    tos ff

    packets dropped 0

    bytes dropped 0

Shared traffic shaper

Shared traffic shaper is used in a firewall shaping policy to indicate the priority and guaranteed and maximum bandwidth for a specified type of traffic use.

The maximum bandwidth indicates the largest amount of traffic allowed when using the policy. You can set the maximum bandwidth to a value between 1 and 16776000 Kbps. The GUI displays an error if any value outside this range is used. If you want to allow unlimited bandwidth, use the CLI to enter a value of 0.

The guaranteed bandwidth ensures that there is a consistent reserved bandwidth available. When setting the guaranteed bandwidth, ensure that the value is significantly less than the interface's bandwidth capacity. Otherwise, the interface will allow very little or no other traffic to pass through, potentially causing unwanted latency.

In a shared traffic shaper, the administrator can prioritize certain traffic as high, medium, or low. FortiOS provides bandwidth to low priority connections only when high priority connections do not need the bandwidth. For example, you should assign a high traffic priority to a policy for connecting a secure web server that needs to support e-commerce traffic. You should assign less important services a low priority.

When you configure a shared traffic shaper, you can apply bandwidth shaping per policy or for all policies. By default, a shared traffic shaper applies traffic shaping evenly to all policies that use the shared traffic shaper.

When configuring a per-policy traffic shaper, FortiOS applies the traffic shaping rules defined for each security policy individually. For example, if a per-policy traffic shaper is configured with a maximum bandwidth of 1000 Kbps, any security policies that have that traffic shaper enabled get 1000 Kbps of bandwidth each.

If a traffic shaper for all policies is configured with a maximum bandwidth of 1000 Kbps, all policies share the 1000 Kbps on a first-come, first-served basis.

The configuration is as follows:

config firewall shaper traffic-shaper

edit "traffic_shaper_name"

set per-policy enable

next

end

The shared traffic shaper selected in the traffic shaping policy affects traffic in the direction defined in the policy. For example, if the source port is LAN and the destination is WAN1, the traffic shaping affects the flow in this direction only, affecting the outbound traffic's upload speed. You can define the traffic shaper for the policy in the opposite direction (reverse shaper) to affect the inbound traffic's download speed. In this example, that would be from WAN1 to LAN.

The following example shows how to apply different speeds to different types of service. The example configures two shared traffic shapers to use in two firewall shaping policies. One policy guarantees a speed of 10 Mbps for VoIP traffic. The other policy guarantees a speed of 1 Mbps for other traffic. In the example, FortiOS communicates with a PC using port10 and the Internet using port9.

To configure shared traffic shapers in the FortiOS GUI:
  1. Create a firewall policy:
    1. Go to Policy & Objects > IPv4 Policy. Click Create New.
    2. In the Name field, enter Internet Access.
    3. From the Incoming Interface dropdown list, select port10.
    4. From the Outgoing Interface dropdown list, select port9.
    5. For the Source and Destination fields, select all.
    6. From the Schedule dropdown list, select always.
    7. For the Service field, select ALL.
    8. Click OK.
  2. Create the shared traffic shapers:
    1. Go to Policy & Objects > Traffic Shapers. Click Create New.
    2. In the Name field, enter 10Mbps. This shaper is for VoIP traffic.
    3. From the Traffic Priority dropdown list, select High.
    4. Enable Max Bandwidth and enter 20000. This equates to 20 Mbps.
    5. Enable Guaranteed Bandwidth and enter 10000. This equates to 10 Mbps.
    6. Click OK.
    7. Repeat the process above to create another traffic shaper named 1Mbps. Set the Traffic Priority to Low, the Max Bandwidth to 10000, and the Guaranteed Bandwidth to 1000.
  3. Create a firewall shaping policy:
    1. Go to Policy & Objects > Traffic Shaping Policy. Click Create New.
    2. In the Name field, enter VoIP_10Mbps_High. This policy is for VoIP traffic.
    3. For the Source and Destination fields, select all.
    4. For the Service field, select all VoIP services.
    5. For the Outgoing Interface field, select port9.
    6. Enable Shared shaper. Select 10Mbps from the dropdown list.
    7. Enable Reverse shaper. Select 10Mbps from the dropdown list.
    8. Click OK.
    9. Repeat the process above to create a firewall shaping policy named Other_1Mbps_Low for other traffic. Set the Source and Destination to all, Service to ALL, Outgoing Interface to port9, and Shared shaper and Reverse shaper to 1Mbps.
To configure shared traffic shapers using the FortiOS CLI:
  1. Create a firewall policy:

    config firewall policy

    edit 1

    set name "Internet Access"

    set srcintf "port10"

    set dstintf "port9"

    set srcaddr "all"

    set dstaddr "all"

    set action accept

    set schedule "always"

    set service "ALL"

    set fsso disable

    set nat enable

    next

    end

  2. Create the shared traffic shapers:

    config firewall shaper traffic-shaper

    edit "10Mbps"

    set guaranteed-bandwidth 10000

    set maximum-bandwidth 20000

    next

    edit "1Mbps"

    set guaranteed-bandwidth 1000

    set maximum-bandwidth 10000

    set priority low

    next

    end

  3. Create a firewall shaping policy:

    config firewall shaping-policy

    edit 1

    set name "VOIP_10Mbps_High"

    set service "H323" "IRC" "MS-SQL" "MYSQL" "RTSP" "SCCP" "SIP" "SIP-MSNmessenger"

    set dstintf "port9"

    set traffic-shaper "10Mbps"

    set traffic-shaper-reverse "10Mbps"

    set srcaddr "all"

    set dstaddr "all"

    next

    edit 2

    set name "Other_1Mbps_Low"

    set service "ALL"

    set dstintf "port9"

    set traffic-shaper "1Mbps"

    set traffic-shaper-reverse "1Mbps"

    set srcaddr "all"

    set dstaddr "all"

    next

    end

To troubleshoot shared traffic shapers:
  1. To check if specific traffic is attached to the correct traffic shaper, run the diagnose firewall iprope list 100015 command. The example output shows the traffic attached to the 10Mbps and 1Mbps shapers:

    # diagnose firewall iprope list 100015

     

    policy index=1 uuid_idx=0 action=accept

    flag (0):

    shapers: orig=10Mbps(2/1280000/2560000)

    cos_fwd=0 cos_rev=0

    group=00100015 av=00000000 au=00000000 split=00000000

    host=4 chk_client_info=0x0 app_list=0 ips_view=0

    misc=0 dd_type=0 dd_mode=0

    zone(1): 0 -> zone(1): 38

    source(1): 0.0.0.0-255.255.255.255, uuid_idx=0,

    dest(1): 0.0.0.0-255.255.255.255, uuid_idx=0,

    service(15):

    [6:0x0:0/(1,65535)->(1720,1720)] helper:auto

    [6:0x0:0/(1,65535)->(1503,1503)] helper:auto

    [17:0x0:0/(1,65535)->(1719,1719)] helper:auto

    [6:0x0:0/(1,65535)->(6660,6669)] helper:auto

    [6:0x0:0/(1,65535)->(1433,1433)] helper:auto

    [6:0x0:0/(1,65535)->(1434,1434)] helper:auto

    [6:0x0:0/(1,65535)->(3306,3306)] helper:auto

    [6:0x0:0/(1,65535)->(554,554)] helper:auto

    [6:0x0:0/(1,65535)->(7070,7070)] helper:auto

    [6:0x0:0/(1,65535)->(8554,8554)] helper:auto

    [17:0x0:0/(1,65535)->(554,554)] helper:auto

    [6:0x0:0/(1,65535)->(2000,2000)] helper:auto

    [6:0x0:0/(1,65535)->(5060,5060)] helper:auto

    [17:0x0:0/(1,65535)->(5060,5060)] helper:auto

    [6:0x0:0/(1,65535)->(1863,1863)] helper:auto

     

    policy index=2 uuid_idx=0 action=accept

    flag (0):

    shapers: orig=1Mbps(4/128000/1280000)

    cos_fwd=0 cos_rev=0

    group=00100015 av=00000000 au=00000000 split=00000000

    host=4 chk_client_info=0x0 app_list=0 ips_view=0

    misc=0 dd_type=0 dd_mode=0

    zone(1): 0 -> zone(1): 38

    source(1): 0.0.0.0-255.255.255.255, uuid_idx=0,

    dest(1): 0.0.0.0-255.255.255.255, uuid_idx=0,

    service(1):

    [0:0x0:0/(0,0)->(0,0)] helper:auto

  2. To check if the correct traffic shaper is applied to the session, run the diagnose sys session list command. The example output shows that the 1Mbps shaper is applied to the session:

    # diagnose sys session list

    session info: proto=6 proto_state=01 duration=11 expire=3599 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=5

    origin-shaper=1Mbps prio=4 guarantee 128000Bps max 1280000Bps traffic 1050Bps drops 0B

    reply-shaper=

    per_ip_shaper=

    class_id=0 shaping_policy_id=2 ha_id=0 policy_dir=0 tunnel=/ helper=ftp vlan_cos=0/255

    state=may_dirty npu npd os mif route_preserve

    statistic(bytes/packets/allow_err): org=868/15/1 reply=752/10/1 tuples=2

    tx speed(Bps/kbps): 76/0 rx speed(Bps/kbps): 66/0

    orgin->sink: org pre->post, reply pre->post dev=39->38/38->39 gwy=172.16.200.55/0.0.0.0

    hook=post dir=org act=snat 10.1.100.11:58241->172.16.200.55:21(172.16.200.1:58241)

    hook=pre dir=reply act=dnat 172.16.200.55:21->172.16.200.1:58241(10.1.100.11:58241)

    pos/(before,after) 0/(0,0), 0/(0,0)

    misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=4

    serial=0003255f tos=ff/ff app_list=0 app=0 url_cat=0

    rpdb_link_id = 00000000

    dd_type=0 dd_mode=0

    npu_state=0x100000

    npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000

    vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0

    no_ofld_reason: offload-denied helper

    total session 1

  3. To check statuses of shared traffic shapers, run the diagnose firewall shaper traffic-shaper list command. The output should resemble the following:

    # diagnose firewall shaper traffic-shaper list

     

    name 10Mbps

    maximum-bandwidth 2500 KB/sec

    guaranteed-bandwidth 1250 KB/sec

    current-bandwidth 0 B/sec

    priority 2

    tos ff

    packets dropped 0

    bytes dropped 0

     

    name 1Mbps

    maximum-bandwidth 1250 KB/sec

    guaranteed-bandwidth 125 KB/sec

    current-bandwidth 0 B/sec

    priority 4

    tos ff

    packets dropped 0

    bytes dropped 0