Traffic shaping policies
A traffic shaping policy is a rule that matches traffic to a traffic shaper or assign them to a class based on certain IP header fields and/or upper layer criteria. The matching traffic will apply a traffic shaper, class ID, or assign a DSCP DiffServ tag to the outgoing traffic. For example, it can match traffic based on source and destination IP, service, application, and URL category. One common use case is to match traffic based on the ToS or DS (differentiated services) field in the IP header. This allows Type of Service or Differentiated Services (DiffServ) tags to be read from traffic from a downstream device and prioritized accordingly on the FortiProxy based on the traffic shaper or the shaping profile applied on the interface.
The traffic shaping policies must be placed in the correct order in the traffic shaping policy list page to obtain the desired results. Policies are matched from top-down, so the traffic shaping policies should be arranged in a sequence that places the more granular policies above general policies.
The policy can be configured by going to Policy & Objects > Traffic Shaping and selecting the Traffic Shaping Policies tab. If the menu does not display the traffic shaping settings, go to System > Feature Visibility and enable Traffic Shaping.
Configuring traffic shaping policies
A traffic shaping policy can be split into two parts:
- Options used to match the traffic
- Options used to apply actions to the matched traffic
The following options can be configured for traffic matching criteria. Some options can only be configured from the CLI.
GUI option (under Policy & Objects > Traffic Shaping > Traffic Shaping Policies) |
CLI option (under |
Description |
|
---|---|---|---|
Source |
|
|
|
|
Address |
set srcaddr <address_object> |
Select the address object to match the source IP. |
Destination |
|
|
|
|
Address |
set dstaddr <address_object> |
Select the address object to match the destination IP. |
Service Type |
|
Select the service type: firewall service or internet service. |
|
Service |
set service <name1>, <name2> |
Select the firewall service or service group for the traffic. |
|
Internet Service |
set internet-service-name <name> set internet-service-group <group> set internet-service-custom <custom> set internet-service-custom-group <custom_group> |
Select the internet service to match the destination of the incoming traffic. Internet service currently cannot be used with destination address and service. |
|
Users |
set users <name1>, <name2>, ... |
Select the authenticated users to apply this traffic shaping policy to. |
|
Groups |
|
set groups <name1>, <name2>, ... |
Select the authenticated user groups to apply this traffic shaping policy to. |
The following options can be configured for actions to apply to the matched traffic:
GUI option |
CLI option |
Description |
|
---|---|---|---|
Outgoing interface |
set dstintf <interface> |
Select the destination interface that the traffic shaping applies to (required). |
|
Apply shaper |
|
|
|
|
Shared shaper |
set traffic-shaper <shaper> |
Select the shared shaper to be applied to traffic in the ingress-to-egress direction. For example, on traffic that egresses on the wan interface, the shaper is applied to upload or outbound traffic. |
|
Reverse shaper |
set traffic-shaper-reverse <shaper> |
Select the reverse shaper to be applied to traffic in the egress-to-ingress direction. For example, on traffic that egresses on the wan interface, the shaper is applied to download or inbound traffic. |
|
Per-IP shaper |
set per-ip-shaper <shaper> |
Select the per-IP shaper. Per-IP shapers affect downloads and uploads. The allotted bandwidth applies to each individual IP. In a shared shaper, the allotted bandwidth applies to all IPs. |
Assign shaping class ID |
|
|
|
|
Traffic shaping class ID |
set class-id <class> |
Set the class ID to apply the matching traffic. Class IDs are further prioritized within a traffic shaping profile and applied to an interface. |
n/a |
set diffserv-forward {enable | disable} set diffservcode-forward <code> set diffserv-reverse {enable | disable} set diffservcode-reverse <code> |
Specify the settings to apply a DSCP tag to the forward or reverse traffic. The DiffServ code is in 6-bit binary format. These options can only be configured in the CLI. |
Traffic shapers and class IDs can be applied at the same time when configuring traffic shaping policies. However, to reduce the complexity, it is recommended to use one method over the other.
The following topics include examples with traffic shaping policies: