NP7 traffic shaping
By default, if you configure traffic shaping for a FortiGate with NP7 processors, traffic shaping is applied to offloaded traffic by applying traffic shaping with policing.
You can use the following command to configure NP7 processors to switch between traffic shaping with policing and traffic shaping with queuing:
config system npu
set default-qos-type {policing | shaping}
end
policing
, (the default) NP7 processors apply traffic shaping with policing using the NP7 accounting and traffic shaping module (called theTPE module). When traffic exceeds configured traffic shaping bandwidth limits, traffic is dropped.
shaping
, enable traffic shaping with queuing using the NP7 Queuing based Traffic Management (QTM) module. Traffic shaping with queuing schedules traffic in queues by implementing variations of a round robin algorithm. When traffic exceeds configured traffic shaping bandwidth limits, traffic is delayed for transport until bandwidth frees up. Traffic may be dropped if the queues are full. In most cases, traffic shaping with queuing will be more stable and will also improve performance for traffic shaping applied by NP7 processors.
QTM traffic shaping requires the MTU of all interfaces and the NP7 processors to be set to 6000 or lower. When you change the default-qos-type
to shaping
, if any interfaces have MTU values higher than 6000, the MTUs of these interfaces are reduced to 6000 when the FortiGate restarts. Interface MTUs lower than 6000 are not affected.
Also, if you change the default-qos-type
to shaping
, Fortinet recommends setting the config system npu
option max-receive-unit
to 6000. The max-receive-unit
setting controls the maximum packet size accepted by NP7 processors. See max-receive-unit <size>.
The FortiGate restarts after changing the QoS type.
A configuration change that causes a FortiGate to restart can disrupt the operation of an FGCP cluster. If possible, you should make this configuration change to the individual FortiGates before setting up the cluster. If the cluster is already operating, you should temporarily remove the secondary FortiGate(s) from the cluster, change the configuration of the individual FortiGates and then re-form the cluster. You can remove FortiGate(s) from a cluster using the Remove Device from HA cluster button on the System > HA GUI page. For more information, see Disconnecting a FortiGate. |
Traffic shaping with queuing using the NP7 QTM module is not compatible with carrier-grade NAT and hyperscale firewall features. If you enable the hyperscale firewall license you cannot set |
In some cases, setting the default-qos-type
to shaping
to enable QTM may cause the NP7 processor to periodically stop forwarding traffic. This may occur randomly every few days. If this happens you need to restart the FortiGate unit to resume normal operation.
You can use the following command to prevent NP7 QTM from blocking traffic:
config system npu
set qtm-buf-mode 4ch
end
Fo r more information, see qtm-buf-mode {6ch | 4ch}.