Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 6.4.1 Administration Guide
    6.4.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Type of Service-based prioritization and policy-based traffic shaping

    Type of Service-based prioritization and policy-based traffic shaping

    Priority queues

    After packet acceptance, FortiOS classifies traffic and may apply Quality of Service (QoS) techniques, such as prioritization and traffic shaping. Traffic shaping consists of a mixture of traffic policing to enforce bandwidth limits and priority queue adjustment to assist packets in achieving the guaranteed rate.

    If you have configured prioritization, FortiOS prioritizes egressing packets by distributing them among first in first out (FIFO) queues associated with each possible priority number. Each physical interface has six priority queues. Virtual interfaces use the priority queues of the physical interface that they are bound to.

    The physical interface's six queues are queue 0 to 5, where queue 0 is the highest priority queue. You might observe that your traffic uses only a subset of those six queues. For example, some traffic may always use a certain queue number. Queuing may also vary by the packet rate or mixture of services. Some queue numbers may only be used by through traffic for which you have configured traffic shaping in the security policy that applies to that traffic session.

    • Administrative access traffic always uses queue 0.
    • Traffic matching firewall policies without traffic shaping may use queue 0, 1, or 2. The queue is selected based on the priority value you have configured for packets with that ToS bit value, if you have configured ToS-based priorities.
    • Traffic matching firewall shaping policies with traffic shaping enabled can use any queue. The queue is selected based on whether the packet rate is currently below the guaranteed bandwidth (queue 0), or above the guaranteed bandwidth. Packets at rates greater than the maximum bandwidth limit are dropped.

    Priority types

    Packets can be assigned a priority in one of three types:

    • On entering ingress – for packets flowing through the firewall.
    • Upon generation – for packets generated by the firewall (including packets generated due to AV proxying).
    • On passing through a firewall policy – for packets passing through a firewall policy (firewall shaping policy) that has a traffic shaper defined.

    ToS priority

    The first and second types, ingress priority and priority for generated packets, are controlled by two different CLI settings:

    config system global
    set traffic-priority-level {high | medium | low}
end
config system tos-based-priority
    edit 1
        set tos [0-15]      <---- type of service bit in the IP datagram header with a value between 0 and 15
        set priority (high | medium | low)      <---- priority of this type of service
    next
end

    Each priority level is mapped to a value as follows:

    ToS priority

    Value

    High

    0

    Medium

    1

    Low

    2
    Note

    ToS-based traffic prioritization cannot be used to apply bandwidth limits and guarantees, but can be used to prioritize traffic at per-packet levels.

    Example

    In the following example configuration, packets with ToS bit values of 10 are prioritized as medium and packets with ToS bit values of 20 are prioritized as high. All the other traffic is prioritized as low.

    config system global
    set traffic-priority-level low
end
config system tos-based-priority
    edit 1
        set tos 10
        set priority medium
    next
    edit 2
        set tos 20
        set priority high
    next
end

    Firewall shaping policy priority

    You can enable traffic shaping in a firewall shaping policy. In the shared traffic shaper, you can set the firewall priority to high, medium, or low:

    config firewall shaper traffic-shaper
    edit 1
        set priority {high | medium | low}
    next
end

    As the priority in a traffic shaper is set to high by default, you must set some traffic at a lower priority to see results. Each priority level is mapped to a value as follows:

    Firewall policy priority

    Value

    High (default)

    1

    Medium

    2

    Low

    3

    Combination of two priority types

    To combine the two priority types, the global or ingress ToS-based priority value is combined with the firewall policy priority value:

    ToS priority (0, 1, 2) + policy priority (1, 2, 3) = total priority (queue number)

    Consider the following scenarios:

    • If the current packet rate is less than the guaranteed bandwidth, packets use priority queue 0. Packet priority is 0.
    • If the current packet rate exceeds the maximum bandwidth, excess packets are dropped.
    • If the current packet rate is greater than the guaranteed bandwidth but less than the maximum bandwidth, FortiOS assigns a priority queue by adding the ToS-based priority and the firewall priority.

      For example, if you have enabled traffic shaping in the security policy and the security policy's traffic priority is low (value 3), and the priority normally applied to packets with that ToS bit is medium (value 1), the packets have a total packet priority of 4, and use priority queue 4.

    Previous
    Next

    Type of Service-based prioritization and policy-based traffic shaping

    Type of Service-based prioritization and policy-based traffic shaping

    Priority queues

    After packet acceptance, FortiOS classifies traffic and may apply Quality of Service (QoS) techniques, such as prioritization and traffic shaping. Traffic shaping consists of a mixture of traffic policing to enforce bandwidth limits and priority queue adjustment to assist packets in achieving the guaranteed rate.

    If you have configured prioritization, FortiOS prioritizes egressing packets by distributing them among first in first out (FIFO) queues associated with each possible priority number. Each physical interface has six priority queues. Virtual interfaces use the priority queues of the physical interface that they are bound to.

    The physical interface's six queues are queue 0 to 5, where queue 0 is the highest priority queue. You might observe that your traffic uses only a subset of those six queues. For example, some traffic may always use a certain queue number. Queuing may also vary by the packet rate or mixture of services. Some queue numbers may only be used by through traffic for which you have configured traffic shaping in the security policy that applies to that traffic session.

    • Administrative access traffic always uses queue 0.
    • Traffic matching firewall policies without traffic shaping may use queue 0, 1, or 2. The queue is selected based on the priority value you have configured for packets with that ToS bit value, if you have configured ToS-based priorities.
    • Traffic matching firewall shaping policies with traffic shaping enabled can use any queue. The queue is selected based on whether the packet rate is currently below the guaranteed bandwidth (queue 0), or above the guaranteed bandwidth. Packets at rates greater than the maximum bandwidth limit are dropped.

    Priority types

    Packets can be assigned a priority in one of three types:

    • On entering ingress – for packets flowing through the firewall.
    • Upon generation – for packets generated by the firewall (including packets generated due to AV proxying).
    • On passing through a firewall policy – for packets passing through a firewall policy (firewall shaping policy) that has a traffic shaper defined.

    ToS priority

    The first and second types, ingress priority and priority for generated packets, are controlled by two different CLI settings:

    config system global
    set traffic-priority-level {high | medium | low}
end
config system tos-based-priority
    edit 1
        set tos [0-15]      <---- type of service bit in the IP datagram header with a value between 0 and 15
        set priority (high | medium | low)      <---- priority of this type of service
    next
end

    Each priority level is mapped to a value as follows:

    ToS priority

    Value

    High

    0

    Medium

    1

    Low

    2
    Note

    ToS-based traffic prioritization cannot be used to apply bandwidth limits and guarantees, but can be used to prioritize traffic at per-packet levels.

    Example

    In the following example configuration, packets with ToS bit values of 10 are prioritized as medium and packets with ToS bit values of 20 are prioritized as high. All the other traffic is prioritized as low.

    config system global
    set traffic-priority-level low
end
config system tos-based-priority
    edit 1
        set tos 10
        set priority medium
    next
    edit 2
        set tos 20
        set priority high
    next
end

    Firewall shaping policy priority

    You can enable traffic shaping in a firewall shaping policy. In the shared traffic shaper, you can set the firewall priority to high, medium, or low:

    config firewall shaper traffic-shaper
    edit 1
        set priority {high | medium | low}
    next
end

    As the priority in a traffic shaper is set to high by default, you must set some traffic at a lower priority to see results. Each priority level is mapped to a value as follows:

    Firewall policy priority

    Value

    High (default)

    1

    Medium

    2

    Low

    3

    Combination of two priority types

    To combine the two priority types, the global or ingress ToS-based priority value is combined with the firewall policy priority value:

    ToS priority (0, 1, 2) + policy priority (1, 2, 3) = total priority (queue number)

    Consider the following scenarios:

    • If the current packet rate is less than the guaranteed bandwidth, packets use priority queue 0. Packet priority is 0.
    • If the current packet rate exceeds the maximum bandwidth, excess packets are dropped.
    • If the current packet rate is greater than the guaranteed bandwidth but less than the maximum bandwidth, FortiOS assigns a priority queue by adding the ToS-based priority and the firewall priority.

      For example, if you have enabled traffic shaping in the security policy and the security policy's traffic priority is low (value 3), and the priority normally applied to packets with that ToS bit is medium (value 1), the packets have a total packet priority of 4, and use priority queue 4.

    Previous
    Next