Fortinet black logo

FortiOS Carrier

APN traffic shaping

APN traffic shaping

You can configure APN traffic shaping to control the number of GTP tunnels per second created by FortiOS Carrier. If your FortiOS Carrier includes multiple VDOMS, you can create an APN traffic shaping configuration for each VDOM. APN traffic shaping only applies to traffic accepted by firewall policies with GTP profiles but applies to all GTP traffic processed by GTP profiles.

APN traffic shaping allows you to create a list of APN traffic shaping policies. The policies allow you to control how many GTP tunnels per second FortiOS Carrier will create for each of the APNs in the policy list. You can configure the policy to either drop or reject packets that exceed the configured rate.

You can also create a general APN traffic shaping policy with no APNs to apply traffic shaping to GTP traffic with any APN. This allows you to limit the number of tunnels per second created by all GTP traffic.

Just like firewall policies, FortiOS carrier reads the APN traffic shaping list in ascending order by policy ID and applies traffic shaping based on the first matching APN. One way to configure APN traffic shaping would be to create a general APN traffic shaping policy with a blank APN field. Give this policy a relatively high policy ID. Then add policies with lower policy IDs that contain specific APNs so that they appear higher in the list.

Creating a general APN traffic shaping policy is not required. If you don't create a general policy, traffic with APNs that don't match APNs in the policy list are not limited by APN traffic shaping.

Use the following command to create an APN traffic shaping policy list:

config gtp apn-shaper

edit <policy-id>

set apn [<apn-name> <apngrp-name> ...]

set rate-limit <limit>

set action {drop | reject}

set back-off-time <time>

end

apn select one or more APNs created with the config gtp apn command and one or more APN groups created with the config gtp apngrp command. You can also leave this blank to apply the shaper to any APN.

rate-limit enter the rate limit in the range 0 to 1000000 packets per second. 0, the default, means unlimited. The rate limit refers to the number of GTP tunnel creation packets that FortiOS Carrier accepts per second, effectively limiting the GTP tunnel creation rate.

action can be drop or reject.

  • drop drops the packet
  • reject performs a GTP reject action which returns an APN congestion packet with a back-off timer. GTPv0 does not support back-off timers so the reject action is not supported for GTPv0 packets. The reject action with back-off timer is supported for GTPv1 and GTPv2.

back-off-time if you set action to reject, specify a back-off time in seconds in the range of 10 to 360. The default is 0 but must be changed to be within the valid range.

You can use the following diagnose command to view the APN traffic shaper policy list, including the order of the policies in the list.

diagnose firewall gtp vd-apn-shaper list

APN traffic shaping

You can configure APN traffic shaping to control the number of GTP tunnels per second created by FortiOS Carrier. If your FortiOS Carrier includes multiple VDOMS, you can create an APN traffic shaping configuration for each VDOM. APN traffic shaping only applies to traffic accepted by firewall policies with GTP profiles but applies to all GTP traffic processed by GTP profiles.

APN traffic shaping allows you to create a list of APN traffic shaping policies. The policies allow you to control how many GTP tunnels per second FortiOS Carrier will create for each of the APNs in the policy list. You can configure the policy to either drop or reject packets that exceed the configured rate.

You can also create a general APN traffic shaping policy with no APNs to apply traffic shaping to GTP traffic with any APN. This allows you to limit the number of tunnels per second created by all GTP traffic.

Just like firewall policies, FortiOS carrier reads the APN traffic shaping list in ascending order by policy ID and applies traffic shaping based on the first matching APN. One way to configure APN traffic shaping would be to create a general APN traffic shaping policy with a blank APN field. Give this policy a relatively high policy ID. Then add policies with lower policy IDs that contain specific APNs so that they appear higher in the list.

Creating a general APN traffic shaping policy is not required. If you don't create a general policy, traffic with APNs that don't match APNs in the policy list are not limited by APN traffic shaping.

Use the following command to create an APN traffic shaping policy list:

config gtp apn-shaper

edit <policy-id>

set apn [<apn-name> <apngrp-name> ...]

set rate-limit <limit>

set action {drop | reject}

set back-off-time <time>

end

apn select one or more APNs created with the config gtp apn command and one or more APN groups created with the config gtp apngrp command. You can also leave this blank to apply the shaper to any APN.

rate-limit enter the rate limit in the range 0 to 1000000 packets per second. 0, the default, means unlimited. The rate limit refers to the number of GTP tunnel creation packets that FortiOS Carrier accepts per second, effectively limiting the GTP tunnel creation rate.

action can be drop or reject.

  • drop drops the packet
  • reject performs a GTP reject action which returns an APN congestion packet with a back-off timer. GTPv0 does not support back-off timers so the reject action is not supported for GTPv0 packets. The reject action with back-off timer is supported for GTPv1 and GTPv2.

back-off-time if you set action to reject, specify a back-off time in seconds in the range of 10 to 360. The default is 0 but must be changed to be within the valid range.

You can use the following diagnose command to view the APN traffic shaper policy list, including the order of the policies in the list.

diagnose firewall gtp vd-apn-shaper list