Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Hardware Acceleration

    Home FortiGate / FortiOS 7.6.6 Hardware Acceleration
    7.6.6
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.1
    7.0.0
    6.4.16
    6.2.17
    6.0.18
    6.0.17
    6.0.16
    6.0.15
    6.0.14
    5.6.0

    NP7 and NP7Lite (SOC5) traffic shaping

    NP7 and NP7Lite (SOC5) traffic shaping

    NP7 and NP7Lite (SOC5) processors support offloading for all FortiOS traffic shaping functions, including:

    By default, all NP7 or NP7Lite traffic shaping is applied to all offloaded traffic with traffic shaping configured. No special NP7 or NP7Lite configuration is required to to support traffic shaping for offloaded traffic. In any traffic shaping configuration, you can choose to disable offloading. When offloading is disabled, traffic shaping is applied by the CPU.

    NP7 and NP7Lite (SOC5) processors include two traffic shaping modules:

    • The accounting and traffic shaping module (called the TPE module), applies traffic shaping using policing. Policing drops packets when traffic exceeds configured bandwidth limits.

    • The queuing based Traffic Management (QTM) module, applies queuing for traffic shaping. Queuing puts packets into queues when traffic exceeds the configured bandwidth limits, releasing packets from the queues as traffic bandwidth reduces. Queuing may drop packets if the queues are full.

    NP7 Lite (SOC5) processors and traffic shaping

    Ideally, you should be able to select the NP7 or NP7Lite traffic shaping module to use, depending on whether you want the NP7 processor to perform queuing or policing. In fact this choice is supported by FortiGates with NP7Lite processors.

    For FortiGates with NP7Lite processors, you can use the following command to select the module that the NP7Lite processor uses to apply traffic shaping:

    config system npu

    set default-qos-type {policing | shaping}

    end

    The default setting is shaping, and the NP7Lite processor uses the QTM module to apply traffic shaping. If you change this option to policing, the NP7Lite processor uses policing using the TPE module to apply traffic shaping. One exception to this is that, for traffic shaping profiles applied to interfaces or IPsec VPN tunnels, even if the default-qos-type is shaping, NP7Lite processors apply traffic shaping using queuing with the QTM module.

    Traffic shaping type

    NP7Lite (SOC5) traffic shaping module

    • Policy traffic shaping

    • Per-IP shaping

    • Regular port shaping (inbandwidth/outbandwidth)

    The default-qos-type can be set to shaping (the default) or changed to policing.

    Traffic shaping profiles applied to interfaces or IPsec VPN tunnels

    Queuing using the QTM module.

    NP7 processors and traffic shaping

    Due to NP7 hardware limitations, you can't change the default-qos-type for NP7 processors. Instead, default-qos-type is always set to policing and the NP7 processor selects the optimal traffic shaping module to use, based on internal and customer testing results. See the following table for details:

    Traffic shaping type

    NP7 traffic shaping module

    • Policy traffic shaping

    • Per-IP shaping

    • Regular port shaping (inbandwidth/outbandwidth)

    Policing using the TPE module.

    Traffic shaping profiles applied to interfaces or IPsec VPN tunnels

    Queuing using the QTM module.

    NP7 and NP7Lite traffic shaping limitations

    • Under most traffic conditions, the TPE module max shaper limit is 8Gbps. The TPE module can't reliably apply traffic shaping to higher bandwidth traffic flows.

    • Under most traffic conditions, the QTM module max shaper limit is 10Gbps. per interface. The QTM module can't reliably apply traffic shaping to higher bandwidth traffic flows.

    • Policy traffic shaping, per-IP shaping, and regular port shaping (outbandwidth enabled on an interface without a shaping profile) always applies traffic shaping using policing with the TPE module.

    • Traffic shaping profiles applied to interfaces or IPsec VPN tunnels always applies traffic shaping using queuing with the QTM module. The interface can be a physical interface, LAG interface, and VLAN interface (over physical or LAG). Traffic shaping profiles applied to interfaces or IPsec VPN tunnels is also called Multiclass shaping (MCS).

    • Traffic shaping profiles applied to interfaces or IPsec VPN tunnels can support a maximum of 100 interfaces. When the QTM model exceeds 100 interfaces, shaper offloading fails and traffic won’t be offloaded or shaping will not work.

    • In may cases, the 100-interface limit may not be a problem. However, dialup IPsec VPN can create a large amount of interfaces, so in most cases NP7 offloading for dialup IPsec VPN configurations with traffic shaping may not work as expected.

    • The QTM module supports packets with an MTU value of 6000 or less. You should check your confirmation to make sure all interfaces in the path of traffic shaping profiles applied to interfaces or IPsec VPN tunnels are set to an MTU value of 6000 or less.

    • NP7 and NP7Lite processors do not support setting a priority in a traffic shaping profile. The priority option is ignored by NP7 and NP7Lite processors. Otherwise, once the guaranteed bandwidth is satisfied, traffic shaping works as expected for NP7 or NP7Lite-offloaded sessions.

      The priority setting does apply to software sessions on FortiGates with NP7 or NP7Lite processors.

    Previous
    Next

    NP7 and NP7Lite (SOC5) traffic shaping

    NP7 and NP7Lite (SOC5) traffic shaping

    NP7 and NP7Lite (SOC5) processors support offloading for all FortiOS traffic shaping functions, including:

    By default, all NP7 or NP7Lite traffic shaping is applied to all offloaded traffic with traffic shaping configured. No special NP7 or NP7Lite configuration is required to to support traffic shaping for offloaded traffic. In any traffic shaping configuration, you can choose to disable offloading. When offloading is disabled, traffic shaping is applied by the CPU.

    NP7 and NP7Lite (SOC5) processors include two traffic shaping modules:

    • The accounting and traffic shaping module (called the TPE module), applies traffic shaping using policing. Policing drops packets when traffic exceeds configured bandwidth limits.

    • The queuing based Traffic Management (QTM) module, applies queuing for traffic shaping. Queuing puts packets into queues when traffic exceeds the configured bandwidth limits, releasing packets from the queues as traffic bandwidth reduces. Queuing may drop packets if the queues are full.

    NP7 Lite (SOC5) processors and traffic shaping

    Ideally, you should be able to select the NP7 or NP7Lite traffic shaping module to use, depending on whether you want the NP7 processor to perform queuing or policing. In fact this choice is supported by FortiGates with NP7Lite processors.

    For FortiGates with NP7Lite processors, you can use the following command to select the module that the NP7Lite processor uses to apply traffic shaping:

    config system npu

    set default-qos-type {policing | shaping}

    end

    The default setting is shaping, and the NP7Lite processor uses the QTM module to apply traffic shaping. If you change this option to policing, the NP7Lite processor uses policing using the TPE module to apply traffic shaping. One exception to this is that, for traffic shaping profiles applied to interfaces or IPsec VPN tunnels, even if the default-qos-type is shaping, NP7Lite processors apply traffic shaping using queuing with the QTM module.

    Traffic shaping type

    NP7Lite (SOC5) traffic shaping module

    • Policy traffic shaping

    • Per-IP shaping

    • Regular port shaping (inbandwidth/outbandwidth)

    The default-qos-type can be set to shaping (the default) or changed to policing.

    Traffic shaping profiles applied to interfaces or IPsec VPN tunnels

    Queuing using the QTM module.

    NP7 processors and traffic shaping

    Due to NP7 hardware limitations, you can't change the default-qos-type for NP7 processors. Instead, default-qos-type is always set to policing and the NP7 processor selects the optimal traffic shaping module to use, based on internal and customer testing results. See the following table for details:

    Traffic shaping type

    NP7 traffic shaping module

    • Policy traffic shaping

    • Per-IP shaping

    • Regular port shaping (inbandwidth/outbandwidth)

    Policing using the TPE module.

    Traffic shaping profiles applied to interfaces or IPsec VPN tunnels

    Queuing using the QTM module.

    NP7 and NP7Lite traffic shaping limitations

    • Under most traffic conditions, the TPE module max shaper limit is 8Gbps. The TPE module can't reliably apply traffic shaping to higher bandwidth traffic flows.

    • Under most traffic conditions, the QTM module max shaper limit is 10Gbps. per interface. The QTM module can't reliably apply traffic shaping to higher bandwidth traffic flows.

    • Policy traffic shaping, per-IP shaping, and regular port shaping (outbandwidth enabled on an interface without a shaping profile) always applies traffic shaping using policing with the TPE module.

    • Traffic shaping profiles applied to interfaces or IPsec VPN tunnels always applies traffic shaping using queuing with the QTM module. The interface can be a physical interface, LAG interface, and VLAN interface (over physical or LAG). Traffic shaping profiles applied to interfaces or IPsec VPN tunnels is also called Multiclass shaping (MCS).

    • Traffic shaping profiles applied to interfaces or IPsec VPN tunnels can support a maximum of 100 interfaces. When the QTM model exceeds 100 interfaces, shaper offloading fails and traffic won’t be offloaded or shaping will not work.

    • In may cases, the 100-interface limit may not be a problem. However, dialup IPsec VPN can create a large amount of interfaces, so in most cases NP7 offloading for dialup IPsec VPN configurations with traffic shaping may not work as expected.

    • The QTM module supports packets with an MTU value of 6000 or less. You should check your confirmation to make sure all interfaces in the path of traffic shaping profiles applied to interfaces or IPsec VPN tunnels are set to an MTU value of 6000 or less.

    • NP7 and NP7Lite processors do not support setting a priority in a traffic shaping profile. The priority option is ignored by NP7 and NP7Lite processors. Otherwise, once the guaranteed bandwidth is satisfied, traffic shaping works as expected for NP7 or NP7Lite-offloaded sessions.

      The priority setting does apply to software sessions on FortiGates with NP7 or NP7Lite processors.

    Previous
    Next