Fortinet Document Library

Version:


Table of Contents

Related Videos

Interface Based Traffic Shaping

  • 1,118 views
  • 5 months ago

New Features

6.2.0
Download PDF
Copy Link

Traffic Shaping GUI Update

This feature adds GUI support for interface based traffic shaping.

Example

In this example, QA traffic to the database is put into shaping group 10 and is guaranteed to have 60% of the interface bandwidth, which is 6Mbps. Other QA traffic is put into shaping group 20 and is guaranteed to have 40% of the interface bandwidth, which is 4Mbps.

To configure interface based traffic shaping in the GUI:
  1. On the FortiGate, create a firewall policy for the traffic.
  2. Create the shaping policy for QA to access the database:
    1. Go to Policy & Objects > Traffic Shaping Policy.
    2. Click Create New. The New Shaping Policy page opens.

    3. Configure the settings as needed, setting the Destination to the database, the Outgoing interface to port9, and the Shaping group to 10.
    4. Click OK.
  3. Create the shaping policy for all other QA traffic:
    1. Go to Policy & Objects > Traffic Shaping Policy.
    2. Click Create New. The New Shaping Policy page opens.
    3. Configure the settings as needed, setting the Shaping group to 20.
    4. Click OK.

    Traffic from QA to the database is put into shaping group 10, and all other QA traffic is put into shaping group 20.

  4. Configure a traffic shaping profile:
    1. Go to Policy & Objects > Traffic Shaping Profile.
    2. Click Create New. The Create shaping profile page opens.
    3. Set the Default Shaping Group to Shaping group 20 with a Guaranteed bandwidth of 40.
    4. Add an Additional Shaping Group, and set the Shaping group to 10 and Guaranteed bandwidth to 60.

    5. Configure the remaining settings as needed.
    6. Click OK.
  5. Enable interface based traffic shaping on an interface (port9 in this example):
    1. Go to Network > Interfaces and double-click on port9. The Edit Interface page opens.
    2. Set the Outbound Bandwidth to 10000 Kbps.
    3. Set the Outgoing Shaping Profile to the just created profile.

    4. Configure the remaining settings as needed.
    5. Click OK.
To configure interface based traffic shaping in the CLI:
  1. On the FortiGate, create a firewall policy for the traffic:
    config firewall policy
        edit 2
            set name "QA to Internet"
            set srcintf "port10"
            set dstintf "port9"
            set srcaddr "QA_subnet"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set auto-asic-offload disable
            set nat enable
        next
    end
  2. Create shaping policies for QA to access the database and the Internet:
    config firewall shaping-policy
        edit 1
            set name "To_Database"
            set service "ALL"
            set dstintf "port9"
            set class-id 10
            set srcaddr "QA_subnet"
            set dstaddr "Database"
        next
        edit 2
            set name "To_Internet"
            set service "ALL"
            set dstintf "port9"
            set class-id 20
            set srcaddr "QA_subnet"
            set dstaddr "all"
        next
    end
  3. Configure a firewall shaping profile:
    config firewall shaping-profile
        edit "QA_Profile"
            set default-class-id 20
            config shaping-entries
                edit 1
                    set class-id 20
                    set priority medium
                    set guaranteed-bandwidth-percentage 40
                    set maximum-bandwidth-percentage 50
                next
                edit 2
                    set class-id 10
                    set guaranteed-bandwidth-percentage 60
                    set maximum-bandwidth-percentage 80
                next
            end
        next
    end
  4. Enable interface based traffic shaping on an interface (port9 in this example):
    config system interface
        edit "port9"
            set vdom "qa_team"
            set ip 172.16.200.1 255.255.255.0
            set allowaccess ping https ssh http telnet
            set type physical
            set outbandwidth 10000
            set egress-shaping-profile "QA_Profile"
            set snmp-index 11
        next
    end
Note

Interface based traffic shaping cannot be used when traffic is offloaded.

Related Videos

Interface Based Traffic Shaping

  • 1,118 views
  • 5 months ago

Traffic Shaping GUI Update

This feature adds GUI support for interface based traffic shaping.

Example

In this example, QA traffic to the database is put into shaping group 10 and is guaranteed to have 60% of the interface bandwidth, which is 6Mbps. Other QA traffic is put into shaping group 20 and is guaranteed to have 40% of the interface bandwidth, which is 4Mbps.

To configure interface based traffic shaping in the GUI:
  1. On the FortiGate, create a firewall policy for the traffic.
  2. Create the shaping policy for QA to access the database:
    1. Go to Policy & Objects > Traffic Shaping Policy.
    2. Click Create New. The New Shaping Policy page opens.

    3. Configure the settings as needed, setting the Destination to the database, the Outgoing interface to port9, and the Shaping group to 10.
    4. Click OK.
  3. Create the shaping policy for all other QA traffic:
    1. Go to Policy & Objects > Traffic Shaping Policy.
    2. Click Create New. The New Shaping Policy page opens.
    3. Configure the settings as needed, setting the Shaping group to 20.
    4. Click OK.

    Traffic from QA to the database is put into shaping group 10, and all other QA traffic is put into shaping group 20.

  4. Configure a traffic shaping profile:
    1. Go to Policy & Objects > Traffic Shaping Profile.
    2. Click Create New. The Create shaping profile page opens.
    3. Set the Default Shaping Group to Shaping group 20 with a Guaranteed bandwidth of 40.
    4. Add an Additional Shaping Group, and set the Shaping group to 10 and Guaranteed bandwidth to 60.

    5. Configure the remaining settings as needed.
    6. Click OK.
  5. Enable interface based traffic shaping on an interface (port9 in this example):
    1. Go to Network > Interfaces and double-click on port9. The Edit Interface page opens.
    2. Set the Outbound Bandwidth to 10000 Kbps.
    3. Set the Outgoing Shaping Profile to the just created profile.

    4. Configure the remaining settings as needed.
    5. Click OK.
To configure interface based traffic shaping in the CLI:
  1. On the FortiGate, create a firewall policy for the traffic:
    config firewall policy
        edit 2
            set name "QA to Internet"
            set srcintf "port10"
            set dstintf "port9"
            set srcaddr "QA_subnet"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set auto-asic-offload disable
            set nat enable
        next
    end
  2. Create shaping policies for QA to access the database and the Internet:
    config firewall shaping-policy
        edit 1
            set name "To_Database"
            set service "ALL"
            set dstintf "port9"
            set class-id 10
            set srcaddr "QA_subnet"
            set dstaddr "Database"
        next
        edit 2
            set name "To_Internet"
            set service "ALL"
            set dstintf "port9"
            set class-id 20
            set srcaddr "QA_subnet"
            set dstaddr "all"
        next
    end
  3. Configure a firewall shaping profile:
    config firewall shaping-profile
        edit "QA_Profile"
            set default-class-id 20
            config shaping-entries
                edit 1
                    set class-id 20
                    set priority medium
                    set guaranteed-bandwidth-percentage 40
                    set maximum-bandwidth-percentage 50
                next
                edit 2
                    set class-id 10
                    set guaranteed-bandwidth-percentage 60
                    set maximum-bandwidth-percentage 80
                next
            end
        next
    end
  4. Enable interface based traffic shaping on an interface (port9 in this example):
    config system interface
        edit "port9"
            set vdom "qa_team"
            set ip 172.16.200.1 255.255.255.0
            set allowaccess ping https ssh http telnet
            set type physical
            set outbandwidth 10000
            set egress-shaping-profile "QA_Profile"
            set snmp-index 11
        next
    end
Note

Interface based traffic shaping cannot be used when traffic is offloaded.