Packet rates

The formula for packet rates specified for maximum bandwidth or guaranteed bandwidth is:

rate = amount / time

where rate is in Kbps

Burst size cannot exceed the configured maximum bandwidth. The FortiGate drops packets that exceed the configured maximum bandwidth. Packets deduct from the amount of bandwidth available to subsequent packets, and available bandwidth regenerates at a fixed rate. As a result, the available bandwidth for a packet may be less than the configured rate, down to a minimum of 0 Kbps.

Alternatively, rate calculation and behavior can be described using the token bucket metaphor. A traffic flow has an associated bucket, which represents burst size bounds and is the size of the configured bandwidth limit. The bucket receives tokens, which represent available bandwidth at the fixed configured rate. As time passes, tokens are added to the bucket up to capacity, and excess tokens are discarded. When a packet arrives at the FortiGate, the packet must deduct bandwidth tokens from the bucket equal to its size in order to leave the FortiGate. If there are not enough tokens, the packet cannot leave the FortiGate and is dropped.

Bursts are not redistributed over a longer interval, so bursts are propagated rather than smoothed. However, peak size is limited. The maximum burst size is the capacity of the bucket, which is the configured bandwidth limit. The actual size varies depending on the current number of tokens in the bucket, which may be less than the capacity of the bucket due to deductions made by previous packets and the fixed rate at which tokens accumulate. A depleted bucket refills at the rate of the configured bandwidth limit. Bursts cannot borrow tokens from other time intervals.

By limiting traffic peaks and token regeneration, the available bandwidth may be less than the capacity of the bucket, but the limit of the total amount per time interval is ensured. Total bandwidth use during each interval of one second is, at most, the integral of the configured rate.

Rate discrepancy

You may observe that external clients, such as FTP or BitTorrent, initially report rates between the maximum bandwidth and twice the amount of the maximum bandwidth depending on the size of their initial burst. For example, when a connection is initiated following a period of no network activity. The apparent discrepancy in rates is caused by a difference in perspective when delimiting time intervals. A burst from the client may initially consume all tokens in the bucket, and before the end of one second as the bucket regenerates, is allowed to consume almost another bucket worth of bandwidth. From the perspective of the client, this equals one time interval. However, from the perspective of the FortiGate, the bucket cannot accumulate tokens when it is full. Therefore, the time interval for token regeneration begins after the initial burst and does not contain the burst. These different points of reference result in an initial discrepancy equal to the size of the burst. The client's rate contains it, but the FortiGate's rate does not. However, if the connection is sustained to its limit and time progresses over an increasing number of intervals, this discrepancy decreases in importance relative to the bandwidth total. The client reported rate will eventually approach the configured rate limit for the FortiGate.


The maximum bandwidth is 50 Kbps, there has been no network activity for one or more seconds, and the bucket is full. A burst from an FTP client immediately consumes 50 kilobits. Because the bucket completely regenerates over one second, by the time another second elapses from the initial burst, traffic can consume another 49.999 kilobits, for a total of 99.999 kilobits between the two points in time. From the vantage point of an external FTP client regulated by this bandwidth limit, it initially appears that the bandwidth limit is 99.999 Kbps. This is almost twice the configured limit of 50 Kbps. However, bucket capacity only regenerates at the configured rate of 50 Kbps, and the connection can only consume a maximum of 50 kilobits during each subsequent second. The result is that as bandwidth consumption is averaged over an increasing number of time intervals, each of which are limited to 50 Kbps, the effect of the first interval's doubled bandwidth size diminishes proportionately, and the client's reported rate eventually approaches the configured rate limit. The following table shows the effects of a 50 Kbps limit on client reported rates:

Total size transferred (kilobits)

Time (seconds)

Rate reported by client (Kbps)

99.999 (50 + 49.999)


















Guaranteed bandwidth can also be described using a token bucket metaphor. However, because this feature attempts to achieve or exceed a rate rather than limit it, the FortiGate does not discard non-conforming packets, as it does for maximum bandwidth. Instead, when the flow does not achieve the rate, the FortiGate increases the packet priority queue, in an effort to increase the rate.

Guaranteed and maximum bandwidth rates apply to the bidirectional total for all sessions controlled by the security policy. For example, an FTP connection may entail two separate connections for the data and control portion of the session. Some packets may be reply traffic rather than initiating traffic. All packets for both connections are counted when calculating the packet rate for comparison with the guaranteed and maximum bandwidth rate.