Fortinet white logo
Fortinet white logo

Hardware Acceleration

NP7 traffic shaping

NP7 traffic shaping

By default, if you configure traffic shaping for a FortiGate with NP7 processors, traffic shaping is applied to offloaded traffic by applying traffic shaping with policing.

Note

NP7 offloading of ingress traffic shaping is not supported, see Ingress traffic shaping profile.

You can use the following command to configure NP7 processors to switch between traffic shaping with policing and traffic shaping with queuing:

config system npu

set default-qos-type {policing | shaping}

end

policing, NP7 processors apply traffic shaping with policing using the NP7 accounting and traffic shaping module (called theTPE module). When traffic exceeds configured traffic shaping bandwidth limits, traffic is dropped.

shaping, (the default) enable traffic shaping with queuing using the NP7 Queuing based Traffic Management (QTM) module. Traffic shaping with queuing schedules traffic in queues by implementing variations of a round robin algorithm. When traffic exceeds configured traffic shaping bandwidth limits, traffic is delayed for transport until bandwidth frees up. Traffic may be dropped if the queues are full. In most cases, traffic shaping with queuing will be more stable and will also improve performance for traffic shaping applied by NP7 processors.

The FortiGate restarts after changing the QoS type.

Note

A configuration change that causes a FortiGate to restart can disrupt the operation of an FGCP cluster. If possible, you should make this configuration change to the individual FortiGates before setting up the cluster. If the cluster is already operating, you should temporarily remove the secondary FortiGate(s) from the cluster, change the configuration of the individual FortiGates and then re-form the cluster. You can remove FortiGate(s) from a cluster using the Remove Device from HA cluster button on the System > HA GUI page. For more information, see Disconnecting a FortiGate.

Note

Traffic shaping with queuing using the NP7 QTM module is not compatible with carrier-grade NAT and hyperscale firewall features. If you enable the hyperscale firewall license you cannot set default-qos-type to shaping.

In some cases, setting the default-qos-type to shaping to enable QTM may cause the NP7 processor to periodically stop forwarding traffic. This may occur randomly every few days. If this happens you need to restart the FortiGate unit to resume normal operation.

You can use the following command to prevent NP7 QTM from blocking traffic:

config system npu

set qtm-buf-mode 4ch

end

Fo r more information, see qtm-buf-mode {6ch | 4ch}.

NP7 traffic shaping

NP7 traffic shaping

By default, if you configure traffic shaping for a FortiGate with NP7 processors, traffic shaping is applied to offloaded traffic by applying traffic shaping with policing.

Note

NP7 offloading of ingress traffic shaping is not supported, see Ingress traffic shaping profile.

You can use the following command to configure NP7 processors to switch between traffic shaping with policing and traffic shaping with queuing:

config system npu

set default-qos-type {policing | shaping}

end

policing, NP7 processors apply traffic shaping with policing using the NP7 accounting and traffic shaping module (called theTPE module). When traffic exceeds configured traffic shaping bandwidth limits, traffic is dropped.

shaping, (the default) enable traffic shaping with queuing using the NP7 Queuing based Traffic Management (QTM) module. Traffic shaping with queuing schedules traffic in queues by implementing variations of a round robin algorithm. When traffic exceeds configured traffic shaping bandwidth limits, traffic is delayed for transport until bandwidth frees up. Traffic may be dropped if the queues are full. In most cases, traffic shaping with queuing will be more stable and will also improve performance for traffic shaping applied by NP7 processors.

The FortiGate restarts after changing the QoS type.

Note

A configuration change that causes a FortiGate to restart can disrupt the operation of an FGCP cluster. If possible, you should make this configuration change to the individual FortiGates before setting up the cluster. If the cluster is already operating, you should temporarily remove the secondary FortiGate(s) from the cluster, change the configuration of the individual FortiGates and then re-form the cluster. You can remove FortiGate(s) from a cluster using the Remove Device from HA cluster button on the System > HA GUI page. For more information, see Disconnecting a FortiGate.

Note

Traffic shaping with queuing using the NP7 QTM module is not compatible with carrier-grade NAT and hyperscale firewall features. If you enable the hyperscale firewall license you cannot set default-qos-type to shaping.

In some cases, setting the default-qos-type to shaping to enable QTM may cause the NP7 processor to periodically stop forwarding traffic. This may occur randomly every few days. If this happens you need to restart the FortiGate unit to resume normal operation.

You can use the following command to prevent NP7 QTM from blocking traffic:

config system npu

set qtm-buf-mode 4ch

end

Fo r more information, see qtm-buf-mode {6ch | 4ch}.