Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.6.0 Administration Guide
    7.6.0
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Running speed tests from spokes to the hub in dial-up IPsec tunnels

    Running speed tests from spokes to the hub in dial-up IPsec tunnels

    In this hub and spoke example, the hub is configured as an IPsec VPN dial-up server with two IPsec tunnels, and each tunnel is connected to a spoke. The VPN interfaces and IP addresses are:

    FortiGate

    Interface

    IP Address

    FGT_A (Hub)

    hub-phase1

    10.10.15.253

    FGT_B (Spoke)

    spoke11-p1

    10.10.15.2

    FGT_D (Spoke)

    spoke21-p1

    10.10.15.1

    The hub (FGT_A) is configured as a speed-test server to listen on custom ports (6000 and 7000), and the spokes (FGT_B and FGT_D) are configured as speed-test clients. This setup allows speed tests to successfully perform when spokes are behind NAT devices. The results of the speed test will be applied to the hub-phase1 overlay tunnel(s) as specified by the speed-test clients.

    The spokes are configured to initiate speed tests on a schedule on UDP. After the speed test completes, the results are sent to the hub, and the hub applies the results on its IPsec tunnels as egress traffic shaping. The results are also cached and can be used if an IPsec tunnel is disconnected and reconnected again.

    To configure the hub FortiGate (FGT_A) as the speed test server:

    1. Configure a shaping profile:

      In this example, the shaping profile is named profile_1.

      config firewall shaping-profile
    edit "profile_1"
        set default-class-id 2
        config shaping-entries
            edit 1
                set class-id 2
                set priority low
                set guaranteed-bandwidth-percentage 10
                set maximum-bandwidth-percentage 10
            next
            edit 2
                set class-id 3
                set priority medium
                set guaranteed-bandwidth-percentage 30
                set maximum-bandwidth-percentage 40
            next
            edit 3
                set class-id 4
                set guaranteed-bandwidth-percentage 20
                set maximum-bandwidth-percentage 60
            next
        end
    end
end

      Three classes are used in the profile for low, medium, and high priority traffic. Each class is assigned a guaranteed and maximum bandwidth as a percentage of the measured bandwidth from the speed test.

    2. Configure a shaping policy to assign certain traffic as a class ID:

      In this example, all traffic destined to the dialup tunnels are assigned class 3.

      config firewall shaping-policy
    edit 2
        set service "ALL"
        set schedule "always"
        set dstintf "hub-phase1" "hub2-phase1"
        set class-id 3
        set srcaddr "all"
        set dstaddr "all"
    next
end

    3. Enable a speed test server with custom speed-test listening ports:

      A speed test server is enabled on the hub. Port 7000 will run speed tests, and port 6000 will be the controller used to issue access tokens for speed test authentication.

      config system global
    ...
    set speedtest-server enable 
    set speedtestd-ctrl-port 6000 
    set speedtestd-server-port 7000
end

    4. Allow the speed test on the underlay:

      config system interface
    edit "port1"
        set ip 172.16.200.1 255.255.255.0
        set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response fabric speed-test
        ...
    next
end

    5. Allow the speed test on the overlay and use the shaping profile in the interface:

      In this example, speed tests are allowed on the overlay, and the shaping profile (profile_1) is used on the hub phase1 interface (port1).

      config system interface                
    edit "hub-phase1" 
        set ip 10.10.15.253 255.255.255.255
        set allowaccess ping speed-test      
        set egress-shaping-profile "profile_1" 
        ...
        set interface "port1"
    next
end
    To configure the first spoke FortiGate (FGT_B) as a speed test client:

    1. Configure system speed-test-schedule:

      The protocol mode is set to UDP. The custom controller port used for authentication is set to 6000, and the custom port used to run the speed tests is set to 7000. The shaping profile is set to remote.

      config system speed-test-schedule
    edit "spoke11-p1"
        set mode UDP
        set schedules "1"
        set dynamic-server enable
        set ctrl-port 6000
        set server-port 7000
        set update-shaper remote
    next
end

    2. Configure a recurring schedule for the speed tests:

      Schedule 1 is set to start at 08:37 every day of the week.

      config firewall schedule recurring
    edit "1"
        set start 08:37
        set day sunday monday tuesday wednesday thursday friday saturday
    next
end
    To configure the second spoke FortiGate (FGT_D) as a speed test client:

    1. Configure a speed test schedule:

      The protocol mode is set to UDP. The custom controller port used for authentication is set to 6000, and the custom port used to run the speed tests is set to 7000. The shaping profile is set to remote.

      config system speed-test-schedule
    edit "spoke21-p1"
        set mode UDP
        set schedules "1"
        set dynamic-server enable
        set ctrl-port 6000
        set server-port 7000
        set update-shaper remote
    next
end

    2. Configure a recurring schedule for the speed tests:

      Schedule 1 is set to start at 08:37 every day of the week.

      config firewall schedule recurring
    edit "1"
        set start 08:37
        set day sunday monday tuesday wednesday thursday friday saturday
    next
end
    To view the speed test results:

    1. After the speed test schedule runs, view the result on spoke FGT_B:

      On spoke FGT_B, authentication succeeds through port 6000, and the test runs on port 7000. UDP mode is used, and the test is successful.

      # diagnose debug application speedtest -1

......
fcron_speedtest_ipsec_request_init()-464: root: spoke11-p1(spoke11-p1) id=003900d5 fd=24, init request=0.0.0.0:0 -> 10.10.15.253:6000, test=172.16.200.2:0 -> 172.16.200.1:7000: succeed.
......
[speedtest(2181)] start uploading test.
[speedtest(2181)] Connecting to host 172.16.200.1, port 7000
[speedtest(2181)] [ 26] local 172.16.200.2 port 17553 connected to 172.16.200.1 port 7000
[speedtest(2181)] [ ID] Interval           Transfer     Bitrate         Total Datagrams
[speedtest(2181)] [ 26]   0.00-1.00   sec   150 MBytes  1.26 Gbits/sec  107570
[speedtest(2181)] [ 26]   1.00-2.00   sec   149 MBytes  1.25 Gbits/sec  107120
[speedtest(2181)] [ 26]   2.00-3.00   sec   149 MBytes  1.25 Gbits/sec  107030
[speedtest(2181)] [ 26]   3.00-4.00   sec   149 MBytes  1.25 Gbits/sec  107210
[speedtest(2181)] [ 26]   4.00-5.00   sec   149 MBytes  1.25 Gbits/sec  107260
[speedtest(2181)] [ ID] Interval           Transfer     Bitrate         Jitter    Lost/Total Datagrams
[speedtest(2181)] [ 26]   0.00-5.00   sec   747 MBytes  1.25 Gbits/sec  0.000 ms  0/536190 (0%)  sender
[speedtest(2181)] [ 26]   0.00-5.00   sec   271 MBytes   454 Mbits/sec  0.000 ms  341627/535995 (64%)  receiver
[speedtest(2181)] client(sender): bytes_recv=283777280, bytes_sent=782837400, sender_time=5.000, recver_time=5.000
[speedtest(2181)] client(sender): up_speed:  454 Mbits/sec
[speedtest(2181)]
[speedtest(2181)] speed test Done.       
[speedtest(2181)] start downloading test. 
[speedtest(2181)] Connecting to host 172.16.200.1, port 7000
[speedtest(2181)] Reverse mode, remote host 172.16.200.1 is sending
[speedtest(2181)] [ 26] local 172.16.200.2 port 7998 connected to 172.16.200.1 port 7000
[speedtest(2181)] [ ID] Interval           Transfer     Bitrate         Jitter    Lost/Total Datagrams
[speedtest(2181)] [ 26]   0.00-1.00   sec  54.6 MBytes   458 Mbits/sec  0.007 ms  70745/109978 (64%)
[speedtest(2181)] [ 26]   1.00-2.00   sec  54.8 MBytes   460 Mbits/sec  0.008 ms  67547/106917 (63%)
[speedtest(2181)] [ 26]   2.00-3.00   sec  54.9 MBytes   460 Mbits/sec  0.010 ms  67543/106940 (63%)
[speedtest(2181)] [ 26]   3.00-4.00   sec  54.8 MBytes   460 Mbits/sec  0.006 ms  67636/107024 (63%)
[speedtest(2181)] [ 26]   4.00-5.00   sec  54.9 MBytes   460 Mbits/sec  0.004 ms  67421/106842 (63%)
[speedtest(2181)] [ ID] Interval           Transfer     Bitrate         Jitter    Lost/Total Datagrams
[speedtest(2181)] [ 26]   0.00-5.00   sec   750 MBytes  1.26 Gbits/sec  0.000 ms  0/538540 (0%)  sender
[speedtest(2181)] [ 26]   0.00-5.00   sec   274 MBytes   460 Mbits/sec  0.004 ms  340892/537701 (63%)  receiver
[speedtest(2181)] client(recver): bytes_recv=287341140, bytes_sent=786268400, sender_time=5.000, recver_time=5.001
[speedtest(2181)] client(recver): down_speed:  460 Mbits/sec
[speedtest(2181)]
[speedtest(2181)] speed test Done.
fcron_speedtest_notify_func()-1275: Speed test pid=2181 done

fcron_speedtest_on_test_finish()-1211: Test 3900d5 for 'spoke11-p1' succeed with up=454043, down=459694
fcron_speedtest_save_results()-1144: Write logs to disk: succ=1, fail=0
fcron_speedtest_sync_results()-1172: Sync cached results to secondary devices.

    2. After the speed test schedule runs, view the result on the spoke FGT_D:

      On spoke FGT_D, authentication succeeds through port 6000, and the test runs on port 7000. UDP mode is used, and the test is successful.

      # diagnose debug application speedtest -1

......
fcron_speedtest_ipsec_request_init()-464: root: spoke21-p1(spoke21-p1) id=00380011 fd=25, init request=0.0.0.0:0 -> 10.10.15.253:6000, test=172.16.200.4:0 -> 172.16.200.1:7000: succeed.
...... 
[speedtest(4309)] start uploading test.
[speedtest(4309)] Connecting to host 172.16.200.1, port 7000
[speedtest(4309)] [ 27] local 172.16.200.4 port 15349 connected to 172.16.200.1 port 7000
[speedtest(4309)] [ ID] Interval           Transfer     Bitrate         Total Datagrams
[speedtest(4309)] [ 27]   0.00-1.00   sec   148 MBytes  1.24 Gbits/sec  105940
[speedtest(4309)] [ 27]   1.00-2.00   sec   148 MBytes  1.24 Gbits/sec  105990
[speedtest(4309)] [ 27]   2.00-3.00   sec   147 MBytes  1.24 Gbits/sec  105860
[speedtest(4309)] [ 27]   3.00-4.00   sec   148 MBytes  1.24 Gbits/sec  105960
[speedtest(4309)] [ 27]   4.00-5.00   sec   148 MBytes  1.24 Gbits/sec  106090
[speedtest(4309)] [ ID] Interval           Transfer     Bitrate         Jitter    Lost/Total Datagrams
[speedtest(4309)] [ 27]   0.00-5.00   sec   738 MBytes  1.24 Gbits/sec  0.000 ms  0/529840 (0%)  sender
[speedtest(4309)] [ 27]   0.00-5.00   sec   271 MBytes   454 Mbits/sec  0.000 ms  335130/529650 (63%)  receiver
[speedtest(4309)] client(sender): bytes_recv=283999200, bytes_sent=773566400, sender_time=5.000, recver_time=5.000
[speedtest(4309)] client(sender): up_speed:  454 Mbits/sec
[speedtest(4309)]
[speedtest(4309)] speed test Done.
[speedtest(4309)] start downloading test. 
[speedtest(4309)] Connecting to host 172.16.200.1, port 7000
[speedtest(4309)] Reverse mode, remote host 172.16.200.1 is sending
[speedtest(4309)] [ 27] local 172.16.200.4 port 19586 connected to 172.16.200.1 port 7000
[speedtest(4309)] [ ID] Interval           Transfer     Bitrate         Jitter    Lost/Total Datagrams
[speedtest(4309)] [ 27]   0.00-1.00   sec  56.1 MBytes   471 Mbits/sec  0.005 ms  70258/110574 (64%)
[speedtest(4309)] [ 27]   1.00-2.00   sec  56.0 MBytes   470 Mbits/sec  0.006 ms  66496/106740 (62%)
[speedtest(4309)] [ 27]   2.00-3.00   sec  56.0 MBytes   470 Mbits/sec  0.005 ms  66481/106736 (62%)
[speedtest(4309)] [ 27]   3.00-4.00   sec  56.1 MBytes   471 Mbits/sec  0.007 ms  66403/106690 (62%)
[speedtest(4309)] [ 27]   4.00-5.00   sec  56.3 MBytes   473 Mbits/sec  0.008 ms  65991/106454 (62%)
[speedtest(4309)] [ ID] Interval           Transfer     Bitrate         Jitter    Lost/Total Datagrams
[speedtest(4309)] [ 27]   0.00-5.00   sec   749 MBytes  1.26 Gbits/sec  0.000 ms  0/538110 (0%)  sender
[speedtest(4309)] [ 27]   0.00-5.00   sec   281 MBytes   471 Mbits/sec  0.008 ms  335629/537194 (62%)  receiver
[speedtest(4309)] client(recver): bytes_recv=294284900, bytes_sent=785640600, sender_time=5.000, recver_time=5.001
[speedtest(4309)] client(recver): down_speed:  471 Mbits/sec
[speedtest(4309)]
[speedtest(4309)] speed test Done.
fcron_speedtest_notify_func()-1275: Speed test pid=4309 done

fcron_speedtest_on_test_finish()-1211: Test 380011 for 'spoke21-p1' succeed with up=454398, down=470794
fcron_speedtest_save_results()-1144: Write logs to disk: succ=1, fail=0
fcron_speedtest_sync_results()-1172: Sync cached results to secondary devices.

    3. After the speed test schedule runs, view the result on the hub (FGT_A):

      Note

      The server side uses speedtestd, while the client side uses speedtest.

      The speed test results are applied on hub-phase1_0 and hub_phase1_1 as egress traffic shaping.

      # diagnose debug application speedtestd -1

......
[speedtest(2771)] [  7] local 172.16.200.1 port 7000 connected to 172.16.200.2 port 17553
......
[speedtest(2771)] [  7] local 172.16.200.1 port 7000 connected to 172.16.200.2 port 7998
......
[sptestd::ctrl(0377):root] set shaper: if=hub-phase1, tun=hub-phase1_0, sp=profile_1, bw=459745
......
[speedtest(2771)] [  7] local 172.16.200.1 port 7000 connected to 172.16.200.4 port 15349
......
[speedtest(2771)] [  7] local 172.16.200.1 port 7000 connected to 172.16.200.4 port 19586
......
[sptestd::ctrl(0377):root] set shaper: if=hub-phase1, tun=hub-phase1_1, sp=profile_1, bw=470855 
......

    4. Verify the result is cached on the spokes.

      • On FGT_B, the speed test results are cached:

        #  diagnose test application forticron 10
Speed test results:
1: vdom=root, phase1intf=spoke11-p1, peer-id='172.16.200.1', up=454043, dw=459694, time=12/13 12:32:19

      • On FGT_D, the speed test results are cached:

        #   diagnose test application forticron 10
Speed test results:
1: vdom=root, phase1intf=spoke21-p1, peer-id='172.16.200.1', up=454398, dw=470794, time=12/12 16:33:18

    5. On the hub (FGT_A), verify the speed test results are applied to the hub's IPsec tunnels as egress traffic shaping:

      On hub-phase1_0 and hub-phase1_1, the correct traffic control is displayed.

      # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
......
------------------------------------------------------
name=hub-phase1_0 ver=2 serial=16 172.16.200.1:0->172.16.200.2:0 tun_id=10.10.15.1 tun_id6=2000:10:10:15::1 dst_mtu=1500 dpd-link=on weight=1
bound_if=11 lgwy=static/1 tun=intf mode=dial_inst/3 encap=none/74408 options[122a8]=npu rgwy-chg frag-rfc  run_state=0 role=primary accept_traffic=1 overlay_id=10

parent=hub-phase1 index=0
......
egress traffic control:
        bandwidth=459745(kbps) lock_hit=0 default_class=2 n_active_class=3
        class-id=2      allocated-bandwidth=45974(kbps)         guaranteed-bandwidth=45974(kbps)
                        max-bandwidth=45974(kbps)       current-bandwidth=0(kbps)
                        priority=low    forwarded_bytes=86K
                        dropped_packets=0       dropped_bytes=0
        class-id=3      allocated-bandwidth=137923(kbps)        guaranteed-bandwidth=137923(kbps)
                        max-bandwidth=183897(kbps)      current-bandwidth=0(kbps)
                        priority=medium         forwarded_bytes=0
                        dropped_packets=0       dropped_bytes=0
        class-id=4      allocated-bandwidth=275846(kbps)        guaranteed-bandwidth=91948(kbps)
                        max-bandwidth=275846(kbps)      current-bandwidth=0(kbps)
                        priority=high   forwarded_bytes=0
                        dropped_packets=0       dropped_bytes=0
------------------------------------------------------
name=hub-phase1_1 ver=2 serial=17 172.16.200.1:0->172.16.200.4:0 tun_id=10.10.15.2 tun_id6=2000:10:10:15::2 dst_mtu=1500 dpd-link=on weight=1
bound_if=11 lgwy=static/1 tun=intf mode=dial_inst/3 encap=none/74408 options[122a8]=npu rgwy-chg frag-rfc  run_state=0 role=primary accept_traffic=1 overlay_id=10

parent=hub-phase1 index=1
......
egress traffic control:
        bandwidth=470855(kbps) lock_hit=0 default_class=2 n_active_class=3
        class-id=2      allocated-bandwidth=47085(kbps)         guaranteed-bandwidth=47085(kbps)
                        max-bandwidth=47085(kbps)       current-bandwidth=0(kbps)
                        priority=low    forwarded_bytes=81K
                        dropped_packets=0       dropped_bytes=0
        class-id=3      allocated-bandwidth=141256(kbps)        guaranteed-bandwidth=141256(kbps)
                        max-bandwidth=188341(kbps)      current-bandwidth=0(kbps)
                        priority=medium         forwarded_bytes=0
                        dropped_packets=0       dropped_bytes=0
        class-id=4      allocated-bandwidth=282512(kbps)        guaranteed-bandwidth=94170(kbps)
                        max-bandwidth=282512(kbps)      current-bandwidth=0(kbps)
                        priority=high   forwarded_bytes=0
                        dropped_packets=0       dropped_bytes=0
    Previous
    Next

    More Links

    Hub and spoke speed tests
    Running speed tests from the hub to the spokes in dial-up IPsec tunnels

    Running speed tests from spokes to the hub in dial-up IPsec tunnels

    Running speed tests from spokes to the hub in dial-up IPsec tunnels

    In this hub and spoke example, the hub is configured as an IPsec VPN dial-up server with two IPsec tunnels, and each tunnel is connected to a spoke. The VPN interfaces and IP addresses are:

    FortiGate

    Interface

    IP Address

    FGT_A (Hub)

    hub-phase1

    10.10.15.253

    FGT_B (Spoke)

    spoke11-p1

    10.10.15.2

    FGT_D (Spoke)

    spoke21-p1

    10.10.15.1

    The hub (FGT_A) is configured as a speed-test server to listen on custom ports (6000 and 7000), and the spokes (FGT_B and FGT_D) are configured as speed-test clients. This setup allows speed tests to successfully perform when spokes are behind NAT devices. The results of the speed test will be applied to the hub-phase1 overlay tunnel(s) as specified by the speed-test clients.

    The spokes are configured to initiate speed tests on a schedule on UDP. After the speed test completes, the results are sent to the hub, and the hub applies the results on its IPsec tunnels as egress traffic shaping. The results are also cached and can be used if an IPsec tunnel is disconnected and reconnected again.

    To configure the hub FortiGate (FGT_A) as the speed test server:

    1. Configure a shaping profile:

      In this example, the shaping profile is named profile_1.

      config firewall shaping-profile
    edit "profile_1"
        set default-class-id 2
        config shaping-entries
            edit 1
                set class-id 2
                set priority low
                set guaranteed-bandwidth-percentage 10
                set maximum-bandwidth-percentage 10
            next
            edit 2
                set class-id 3
                set priority medium
                set guaranteed-bandwidth-percentage 30
                set maximum-bandwidth-percentage 40
            next
            edit 3
                set class-id 4
                set guaranteed-bandwidth-percentage 20
                set maximum-bandwidth-percentage 60
            next
        end
    end
end

      Three classes are used in the profile for low, medium, and high priority traffic. Each class is assigned a guaranteed and maximum bandwidth as a percentage of the measured bandwidth from the speed test.

    2. Configure a shaping policy to assign certain traffic as a class ID:

      In this example, all traffic destined to the dialup tunnels are assigned class 3.

      config firewall shaping-policy
    edit 2
        set service "ALL"
        set schedule "always"
        set dstintf "hub-phase1" "hub2-phase1"
        set class-id 3
        set srcaddr "all"
        set dstaddr "all"
    next
end

    3. Enable a speed test server with custom speed-test listening ports:

      A speed test server is enabled on the hub. Port 7000 will run speed tests, and port 6000 will be the controller used to issue access tokens for speed test authentication.

      config system global
    ...
    set speedtest-server enable 
    set speedtestd-ctrl-port 6000 
    set speedtestd-server-port 7000
end

    4. Allow the speed test on the underlay:

      config system interface
    edit "port1"
        set ip 172.16.200.1 255.255.255.0
        set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response fabric speed-test
        ...
    next
end

    5. Allow the speed test on the overlay and use the shaping profile in the interface:

      In this example, speed tests are allowed on the overlay, and the shaping profile (profile_1) is used on the hub phase1 interface (port1).

      config system interface                
    edit "hub-phase1" 
        set ip 10.10.15.253 255.255.255.255
        set allowaccess ping speed-test      
        set egress-shaping-profile "profile_1" 
        ...
        set interface "port1"
    next
end
    To configure the first spoke FortiGate (FGT_B) as a speed test client:

    1. Configure system speed-test-schedule:

      The protocol mode is set to UDP. The custom controller port used for authentication is set to 6000, and the custom port used to run the speed tests is set to 7000. The shaping profile is set to remote.

      config system speed-test-schedule
    edit "spoke11-p1"
        set mode UDP
        set schedules "1"
        set dynamic-server enable
        set ctrl-port 6000
        set server-port 7000
        set update-shaper remote
    next
end

    2. Configure a recurring schedule for the speed tests:

      Schedule 1 is set to start at 08:37 every day of the week.

      config firewall schedule recurring
    edit "1"
        set start 08:37
        set day sunday monday tuesday wednesday thursday friday saturday
    next
end
    To configure the second spoke FortiGate (FGT_D) as a speed test client:

    1. Configure a speed test schedule:

      The protocol mode is set to UDP. The custom controller port used for authentication is set to 6000, and the custom port used to run the speed tests is set to 7000. The shaping profile is set to remote.

      config system speed-test-schedule
    edit "spoke21-p1"
        set mode UDP
        set schedules "1"
        set dynamic-server enable
        set ctrl-port 6000
        set server-port 7000
        set update-shaper remote
    next
end

    2. Configure a recurring schedule for the speed tests:

      Schedule 1 is set to start at 08:37 every day of the week.

      config firewall schedule recurring
    edit "1"
        set start 08:37
        set day sunday monday tuesday wednesday thursday friday saturday
    next
end
    To view the speed test results:

    1. After the speed test schedule runs, view the result on spoke FGT_B:

      On spoke FGT_B, authentication succeeds through port 6000, and the test runs on port 7000. UDP mode is used, and the test is successful.

      # diagnose debug application speedtest -1

......
fcron_speedtest_ipsec_request_init()-464: root: spoke11-p1(spoke11-p1) id=003900d5 fd=24, init request=0.0.0.0:0 -> 10.10.15.253:6000, test=172.16.200.2:0 -> 172.16.200.1:7000: succeed.
......
[speedtest(2181)] start uploading test.
[speedtest(2181)] Connecting to host 172.16.200.1, port 7000
[speedtest(2181)] [ 26] local 172.16.200.2 port 17553 connected to 172.16.200.1 port 7000
[speedtest(2181)] [ ID] Interval           Transfer     Bitrate         Total Datagrams
[speedtest(2181)] [ 26]   0.00-1.00   sec   150 MBytes  1.26 Gbits/sec  107570
[speedtest(2181)] [ 26]   1.00-2.00   sec   149 MBytes  1.25 Gbits/sec  107120
[speedtest(2181)] [ 26]   2.00-3.00   sec   149 MBytes  1.25 Gbits/sec  107030
[speedtest(2181)] [ 26]   3.00-4.00   sec   149 MBytes  1.25 Gbits/sec  107210
[speedtest(2181)] [ 26]   4.00-5.00   sec   149 MBytes  1.25 Gbits/sec  107260
[speedtest(2181)] [ ID] Interval           Transfer     Bitrate         Jitter    Lost/Total Datagrams
[speedtest(2181)] [ 26]   0.00-5.00   sec   747 MBytes  1.25 Gbits/sec  0.000 ms  0/536190 (0%)  sender
[speedtest(2181)] [ 26]   0.00-5.00   sec   271 MBytes   454 Mbits/sec  0.000 ms  341627/535995 (64%)  receiver
[speedtest(2181)] client(sender): bytes_recv=283777280, bytes_sent=782837400, sender_time=5.000, recver_time=5.000
[speedtest(2181)] client(sender): up_speed:  454 Mbits/sec
[speedtest(2181)]
[speedtest(2181)] speed test Done.       
[speedtest(2181)] start downloading test. 
[speedtest(2181)] Connecting to host 172.16.200.1, port 7000
[speedtest(2181)] Reverse mode, remote host 172.16.200.1 is sending
[speedtest(2181)] [ 26] local 172.16.200.2 port 7998 connected to 172.16.200.1 port 7000
[speedtest(2181)] [ ID] Interval           Transfer     Bitrate         Jitter    Lost/Total Datagrams
[speedtest(2181)] [ 26]   0.00-1.00   sec  54.6 MBytes   458 Mbits/sec  0.007 ms  70745/109978 (64%)
[speedtest(2181)] [ 26]   1.00-2.00   sec  54.8 MBytes   460 Mbits/sec  0.008 ms  67547/106917 (63%)
[speedtest(2181)] [ 26]   2.00-3.00   sec  54.9 MBytes   460 Mbits/sec  0.010 ms  67543/106940 (63%)
[speedtest(2181)] [ 26]   3.00-4.00   sec  54.8 MBytes   460 Mbits/sec  0.006 ms  67636/107024 (63%)
[speedtest(2181)] [ 26]   4.00-5.00   sec  54.9 MBytes   460 Mbits/sec  0.004 ms  67421/106842 (63%)
[speedtest(2181)] [ ID] Interval           Transfer     Bitrate         Jitter    Lost/Total Datagrams
[speedtest(2181)] [ 26]   0.00-5.00   sec   750 MBytes  1.26 Gbits/sec  0.000 ms  0/538540 (0%)  sender
[speedtest(2181)] [ 26]   0.00-5.00   sec   274 MBytes   460 Mbits/sec  0.004 ms  340892/537701 (63%)  receiver
[speedtest(2181)] client(recver): bytes_recv=287341140, bytes_sent=786268400, sender_time=5.000, recver_time=5.001
[speedtest(2181)] client(recver): down_speed:  460 Mbits/sec
[speedtest(2181)]
[speedtest(2181)] speed test Done.
fcron_speedtest_notify_func()-1275: Speed test pid=2181 done

fcron_speedtest_on_test_finish()-1211: Test 3900d5 for 'spoke11-p1' succeed with up=454043, down=459694
fcron_speedtest_save_results()-1144: Write logs to disk: succ=1, fail=0
fcron_speedtest_sync_results()-1172: Sync cached results to secondary devices.

    2. After the speed test schedule runs, view the result on the spoke FGT_D:

      On spoke FGT_D, authentication succeeds through port 6000, and the test runs on port 7000. UDP mode is used, and the test is successful.

      # diagnose debug application speedtest -1

......
fcron_speedtest_ipsec_request_init()-464: root: spoke21-p1(spoke21-p1) id=00380011 fd=25, init request=0.0.0.0:0 -> 10.10.15.253:6000, test=172.16.200.4:0 -> 172.16.200.1:7000: succeed.
...... 
[speedtest(4309)] start uploading test.
[speedtest(4309)] Connecting to host 172.16.200.1, port 7000
[speedtest(4309)] [ 27] local 172.16.200.4 port 15349 connected to 172.16.200.1 port 7000
[speedtest(4309)] [ ID] Interval           Transfer     Bitrate         Total Datagrams
[speedtest(4309)] [ 27]   0.00-1.00   sec   148 MBytes  1.24 Gbits/sec  105940
[speedtest(4309)] [ 27]   1.00-2.00   sec   148 MBytes  1.24 Gbits/sec  105990
[speedtest(4309)] [ 27]   2.00-3.00   sec   147 MBytes  1.24 Gbits/sec  105860
[speedtest(4309)] [ 27]   3.00-4.00   sec   148 MBytes  1.24 Gbits/sec  105960
[speedtest(4309)] [ 27]   4.00-5.00   sec   148 MBytes  1.24 Gbits/sec  106090
[speedtest(4309)] [ ID] Interval           Transfer     Bitrate         Jitter    Lost/Total Datagrams
[speedtest(4309)] [ 27]   0.00-5.00   sec   738 MBytes  1.24 Gbits/sec  0.000 ms  0/529840 (0%)  sender
[speedtest(4309)] [ 27]   0.00-5.00   sec   271 MBytes   454 Mbits/sec  0.000 ms  335130/529650 (63%)  receiver
[speedtest(4309)] client(sender): bytes_recv=283999200, bytes_sent=773566400, sender_time=5.000, recver_time=5.000
[speedtest(4309)] client(sender): up_speed:  454 Mbits/sec
[speedtest(4309)]
[speedtest(4309)] speed test Done.
[speedtest(4309)] start downloading test. 
[speedtest(4309)] Connecting to host 172.16.200.1, port 7000
[speedtest(4309)] Reverse mode, remote host 172.16.200.1 is sending
[speedtest(4309)] [ 27] local 172.16.200.4 port 19586 connected to 172.16.200.1 port 7000
[speedtest(4309)] [ ID] Interval           Transfer     Bitrate         Jitter    Lost/Total Datagrams
[speedtest(4309)] [ 27]   0.00-1.00   sec  56.1 MBytes   471 Mbits/sec  0.005 ms  70258/110574 (64%)
[speedtest(4309)] [ 27]   1.00-2.00   sec  56.0 MBytes   470 Mbits/sec  0.006 ms  66496/106740 (62%)
[speedtest(4309)] [ 27]   2.00-3.00   sec  56.0 MBytes   470 Mbits/sec  0.005 ms  66481/106736 (62%)
[speedtest(4309)] [ 27]   3.00-4.00   sec  56.1 MBytes   471 Mbits/sec  0.007 ms  66403/106690 (62%)
[speedtest(4309)] [ 27]   4.00-5.00   sec  56.3 MBytes   473 Mbits/sec  0.008 ms  65991/106454 (62%)
[speedtest(4309)] [ ID] Interval           Transfer     Bitrate         Jitter    Lost/Total Datagrams
[speedtest(4309)] [ 27]   0.00-5.00   sec   749 MBytes  1.26 Gbits/sec  0.000 ms  0/538110 (0%)  sender
[speedtest(4309)] [ 27]   0.00-5.00   sec   281 MBytes   471 Mbits/sec  0.008 ms  335629/537194 (62%)  receiver
[speedtest(4309)] client(recver): bytes_recv=294284900, bytes_sent=785640600, sender_time=5.000, recver_time=5.001
[speedtest(4309)] client(recver): down_speed:  471 Mbits/sec
[speedtest(4309)]
[speedtest(4309)] speed test Done.
fcron_speedtest_notify_func()-1275: Speed test pid=4309 done

fcron_speedtest_on_test_finish()-1211: Test 380011 for 'spoke21-p1' succeed with up=454398, down=470794
fcron_speedtest_save_results()-1144: Write logs to disk: succ=1, fail=0
fcron_speedtest_sync_results()-1172: Sync cached results to secondary devices.

    3. After the speed test schedule runs, view the result on the hub (FGT_A):

      Note

      The server side uses speedtestd, while the client side uses speedtest.

      The speed test results are applied on hub-phase1_0 and hub_phase1_1 as egress traffic shaping.

      # diagnose debug application speedtestd -1

......
[speedtest(2771)] [  7] local 172.16.200.1 port 7000 connected to 172.16.200.2 port 17553
......
[speedtest(2771)] [  7] local 172.16.200.1 port 7000 connected to 172.16.200.2 port 7998
......
[sptestd::ctrl(0377):root] set shaper: if=hub-phase1, tun=hub-phase1_0, sp=profile_1, bw=459745
......
[speedtest(2771)] [  7] local 172.16.200.1 port 7000 connected to 172.16.200.4 port 15349
......
[speedtest(2771)] [  7] local 172.16.200.1 port 7000 connected to 172.16.200.4 port 19586
......
[sptestd::ctrl(0377):root] set shaper: if=hub-phase1, tun=hub-phase1_1, sp=profile_1, bw=470855 
......

    4. Verify the result is cached on the spokes.

      • On FGT_B, the speed test results are cached:

        #  diagnose test application forticron 10
Speed test results:
1: vdom=root, phase1intf=spoke11-p1, peer-id='172.16.200.1', up=454043, dw=459694, time=12/13 12:32:19

      • On FGT_D, the speed test results are cached:

        #   diagnose test application forticron 10
Speed test results:
1: vdom=root, phase1intf=spoke21-p1, peer-id='172.16.200.1', up=454398, dw=470794, time=12/12 16:33:18

    5. On the hub (FGT_A), verify the speed test results are applied to the hub's IPsec tunnels as egress traffic shaping:

      On hub-phase1_0 and hub-phase1_1, the correct traffic control is displayed.

      # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
......
------------------------------------------------------
name=hub-phase1_0 ver=2 serial=16 172.16.200.1:0->172.16.200.2:0 tun_id=10.10.15.1 tun_id6=2000:10:10:15::1 dst_mtu=1500 dpd-link=on weight=1
bound_if=11 lgwy=static/1 tun=intf mode=dial_inst/3 encap=none/74408 options[122a8]=npu rgwy-chg frag-rfc  run_state=0 role=primary accept_traffic=1 overlay_id=10

parent=hub-phase1 index=0
......
egress traffic control:
        bandwidth=459745(kbps) lock_hit=0 default_class=2 n_active_class=3
        class-id=2      allocated-bandwidth=45974(kbps)         guaranteed-bandwidth=45974(kbps)
                        max-bandwidth=45974(kbps)       current-bandwidth=0(kbps)
                        priority=low    forwarded_bytes=86K
                        dropped_packets=0       dropped_bytes=0
        class-id=3      allocated-bandwidth=137923(kbps)        guaranteed-bandwidth=137923(kbps)
                        max-bandwidth=183897(kbps)      current-bandwidth=0(kbps)
                        priority=medium         forwarded_bytes=0
                        dropped_packets=0       dropped_bytes=0
        class-id=4      allocated-bandwidth=275846(kbps)        guaranteed-bandwidth=91948(kbps)
                        max-bandwidth=275846(kbps)      current-bandwidth=0(kbps)
                        priority=high   forwarded_bytes=0
                        dropped_packets=0       dropped_bytes=0
------------------------------------------------------
name=hub-phase1_1 ver=2 serial=17 172.16.200.1:0->172.16.200.4:0 tun_id=10.10.15.2 tun_id6=2000:10:10:15::2 dst_mtu=1500 dpd-link=on weight=1
bound_if=11 lgwy=static/1 tun=intf mode=dial_inst/3 encap=none/74408 options[122a8]=npu rgwy-chg frag-rfc  run_state=0 role=primary accept_traffic=1 overlay_id=10

parent=hub-phase1 index=1
......
egress traffic control:
        bandwidth=470855(kbps) lock_hit=0 default_class=2 n_active_class=3
        class-id=2      allocated-bandwidth=47085(kbps)         guaranteed-bandwidth=47085(kbps)
                        max-bandwidth=47085(kbps)       current-bandwidth=0(kbps)
                        priority=low    forwarded_bytes=81K
                        dropped_packets=0       dropped_bytes=0
        class-id=3      allocated-bandwidth=141256(kbps)        guaranteed-bandwidth=141256(kbps)
                        max-bandwidth=188341(kbps)      current-bandwidth=0(kbps)
                        priority=medium         forwarded_bytes=0
                        dropped_packets=0       dropped_bytes=0
        class-id=4      allocated-bandwidth=282512(kbps)        guaranteed-bandwidth=94170(kbps)
                        max-bandwidth=282512(kbps)      current-bandwidth=0(kbps)
                        priority=high   forwarded_bytes=0
                        dropped_packets=0       dropped_bytes=0
    Previous
    Next