Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiProxy 7.2.11 Administration Guide
    7.2.11
    7.6.0
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.0
    7.0.19
    7.0.17
    7.0.0
    2.0.0
    1.2.0
    1.1.0
    1.0.0

    Traffic shaping policies

    Traffic shaping policies

    A traffic shaping policy is a rule that matches traffic to a traffic shaper or assign them to a class based on certain IP header fields and/or upper layer criteria. The matching traffic will apply a traffic shaper, class ID, or assign a DSCP DiffServ tag to the outgoing traffic. For example, it can match traffic based on source and destination IP, service, application, and URL category. One common use case is to match traffic based on the ToS or DS (differentiated services) field in the IP header. This allows Type of Service or Differentiated Services (DiffServ) tags to be read from traffic from a downstream device and prioritized accordingly on the FortiProxy based on the traffic shaper or the shaping profile applied on the interface.

    The traffic shaping policies must be placed in the correct order in the traffic shaping policy list page to obtain the desired results. Policies are matched from top-down, so the traffic shaping policies should be arranged in a sequence that places the more granular policies above general policies.

    The policy can be configured by going to Policy & Objects > Traffic Shaping and selecting the Traffic Shaping Policies tab. If the menu does not display the traffic shaping settings, go to System > Feature Visibility and enable Traffic Shaping.

    Configuring traffic shaping policies

    A traffic shaping policy can be split into two parts:

    • Options used to match the traffic
    • Options used to apply actions to the matched traffic

    The following options can be configured for traffic matching criteria. Some options can only be configured from the CLI.

    GUI option

    (under Policy & Objects > Traffic Shaping > Traffic Shaping Policies)

    CLI option

    (under config firewall shaping-policy)

    Description

    Source

    Address

    set srcaddr <address_object>

    Select the address object to match the source IP.

    Destination

    Address

    set dstaddr <address_object>

    Select the address object to match the destination IP.

    Service Type

    set service-type [service|internet-service]

    Select the service type: firewall service or internet service.

    Service

    set service <name1>, <name2>

    Select the firewall service or service group for the traffic.

    Internet Service

    set internet-service-name <name>

    set internet-service-group <group>

    set internet-service-custom <custom>

    set internet-service-custom-group <custom_group>

    Select the internet service to match the destination of the incoming traffic. Internet service currently cannot be used with destination address and service.

    Schedule

    set schedule <schedule>

    Enable to select a schedule (one-time, recurring, or group).

    Users

    set users <name1>, <name2>, ...

    Select the authenticated users to apply this traffic shaping policy to.

    Groups

    set groups <name1>, <name2>, ...

    Select the authenticated user groups to apply this traffic shaping policy to.

    The following options can be configured for actions to apply to the matched traffic:

    GUI option

    CLI option

    Description

    Outgoing interface

    set dstintf <interface>

    Select the destination interface that the traffic shaping applies to (required).

    Apply shaper

    Shared shaper

    set traffic-shaper <shaper>

    Select the shared shaper to be applied to traffic in the ingress-to-egress direction. For example, on traffic that egresses on the wan interface, the shaper is applied to upload or outbound traffic.

    Reverse shaper

    set traffic-shaper-reverse <shaper>

    Select the reverse shaper to be applied to traffic in the egress-to-ingress direction. For example, on traffic that egresses on the wan interface, the shaper is applied to download or inbound traffic.

    Per-IP shaper

    set per-ip-shaper <shaper>

    Select the per-IP shaper. Per-IP shapers affect downloads and uploads. The allotted bandwidth applies to each individual IP. In a shared shaper, the allotted bandwidth applies to all IPs.

    Assign shaping class ID

    Traffic shaping class ID

    set class-id <class>

    Set the class ID to apply the matching traffic. Class IDs are further prioritized within a traffic shaping profile and applied to an interface.

    n/a

    set diffserv-forward {enable | disable}

    set diffservcode-forward <code>

    set diffserv-reverse {enable | disable}

    set diffservcode-reverse <code>

    Specify the settings to apply a DSCP tag to the forward or reverse traffic. The DiffServ code is in 6-bit binary format.

    These options can only be configured in the CLI.

    Traffic shapers and class IDs can be applied at the same time when configuring traffic shaping policies. However, to reduce the complexity, it is recommended to use one method over the other.

    The following topics include examples with traffic shaping policies:

    Previous
    Next

    Traffic shaping policies

    Traffic shaping policies

    A traffic shaping policy is a rule that matches traffic to a traffic shaper or assign them to a class based on certain IP header fields and/or upper layer criteria. The matching traffic will apply a traffic shaper, class ID, or assign a DSCP DiffServ tag to the outgoing traffic. For example, it can match traffic based on source and destination IP, service, application, and URL category. One common use case is to match traffic based on the ToS or DS (differentiated services) field in the IP header. This allows Type of Service or Differentiated Services (DiffServ) tags to be read from traffic from a downstream device and prioritized accordingly on the FortiProxy based on the traffic shaper or the shaping profile applied on the interface.

    The traffic shaping policies must be placed in the correct order in the traffic shaping policy list page to obtain the desired results. Policies are matched from top-down, so the traffic shaping policies should be arranged in a sequence that places the more granular policies above general policies.

    The policy can be configured by going to Policy & Objects > Traffic Shaping and selecting the Traffic Shaping Policies tab. If the menu does not display the traffic shaping settings, go to System > Feature Visibility and enable Traffic Shaping.

    Configuring traffic shaping policies

    A traffic shaping policy can be split into two parts:

    • Options used to match the traffic
    • Options used to apply actions to the matched traffic

    The following options can be configured for traffic matching criteria. Some options can only be configured from the CLI.

    GUI option

    (under Policy & Objects > Traffic Shaping > Traffic Shaping Policies)

    CLI option

    (under config firewall shaping-policy)

    Description

    Source

    Address

    set srcaddr <address_object>

    Select the address object to match the source IP.

    Destination

    Address

    set dstaddr <address_object>

    Select the address object to match the destination IP.

    Service Type

    set service-type [service|internet-service]

    Select the service type: firewall service or internet service.

    Service

    set service <name1>, <name2>

    Select the firewall service or service group for the traffic.

    Internet Service

    set internet-service-name <name>

    set internet-service-group <group>

    set internet-service-custom <custom>

    set internet-service-custom-group <custom_group>

    Select the internet service to match the destination of the incoming traffic. Internet service currently cannot be used with destination address and service.

    Schedule

    set schedule <schedule>

    Enable to select a schedule (one-time, recurring, or group).

    Users

    set users <name1>, <name2>, ...

    Select the authenticated users to apply this traffic shaping policy to.

    Groups

    set groups <name1>, <name2>, ...

    Select the authenticated user groups to apply this traffic shaping policy to.

    The following options can be configured for actions to apply to the matched traffic:

    GUI option

    CLI option

    Description

    Outgoing interface

    set dstintf <interface>

    Select the destination interface that the traffic shaping applies to (required).

    Apply shaper

    Shared shaper

    set traffic-shaper <shaper>

    Select the shared shaper to be applied to traffic in the ingress-to-egress direction. For example, on traffic that egresses on the wan interface, the shaper is applied to upload or outbound traffic.

    Reverse shaper

    set traffic-shaper-reverse <shaper>

    Select the reverse shaper to be applied to traffic in the egress-to-ingress direction. For example, on traffic that egresses on the wan interface, the shaper is applied to download or inbound traffic.

    Per-IP shaper

    set per-ip-shaper <shaper>

    Select the per-IP shaper. Per-IP shapers affect downloads and uploads. The allotted bandwidth applies to each individual IP. In a shared shaper, the allotted bandwidth applies to all IPs.

    Assign shaping class ID

    Traffic shaping class ID

    set class-id <class>

    Set the class ID to apply the matching traffic. Class IDs are further prioritized within a traffic shaping profile and applied to an interface.

    n/a

    set diffserv-forward {enable | disable}

    set diffservcode-forward <code>

    set diffserv-reverse {enable | disable}

    set diffservcode-reverse <code>

    Specify the settings to apply a DSCP tag to the forward or reverse traffic. The DiffServ code is in 6-bit binary format.

    These options can only be configured in the CLI.

    Traffic shapers and class IDs can be applied at the same time when configuring traffic shaping policies. However, to reduce the complexity, it is recommended to use one method over the other.

    The following topics include examples with traffic shaping policies:

    Previous
    Next