Fortinet white logo
Fortinet white logo

Administration Guide

Traffic shaping policies

Traffic shaping policies

A traffic shaping policy is a rule that matches traffic to a traffic shaper or assign them to a class based on certain IP header fields and/or upper layer criteria. The matching traffic will apply a traffic shaper, class ID, or assign a DSCP DiffServ tag to the outgoing traffic. For example, it can match traffic based on source and destination IP, service, application, and URL category. One common use case is to match traffic based on the ToS or DS (differentiated services) field in the IP header. This allows Type of Service or Differentiated Services (DiffServ) tags to be read from traffic from a downstream device and prioritized accordingly on the FortiProxy based on the traffic shaper or the shaping profile applied on the interface.

The traffic shaping policies must be placed in the correct order in the traffic shaping policy list page to obtain the desired results. Policies are matched from top-down, so the traffic shaping policies should be arranged in a sequence that places the more granular policies above general policies.

The policy can be configured by going to Policy & Objects > Traffic Shaping and selecting the Traffic Shaping Policies tab. If the menu does not display the traffic shaping settings, go to System > Feature Visibility and enable Traffic Shaping.

Configuring traffic shaping policies

A traffic shaping policy can be split into two parts:

  • Options used to match the traffic
  • Options used to apply actions to the matched traffic

The following options can be configured for traffic matching criteria. Some options can only be configured from the CLI.

GUI option

(under Policy & Objects > Traffic Shaping > Traffic Shaping Policies)

CLI option

(under config firewall shaping-policy)

Description

Source

Address

set srcaddr <address_object>

Select the address object to match the source IP.

Destination

Address

set dstaddr <address_object>

Select the address object to match the destination IP.

Service Type

set service-type [service|internet-service]

Select the service type: firewall service or internet service.

Service

set service <name1>, <name2>

Select the firewall service or service group for the traffic.

Internet Service

set internet-service-name <name>

set internet-service-group <group>

set internet-service-custom <custom>

set internet-service-custom-group <custom_group>

Select the internet service to match the destination of the incoming traffic. Internet service currently cannot be used with destination address and service.

Users

set users <name1>, <name2>, ...

Select the authenticated users to apply this traffic shaping policy to.

Groups

set groups <name1>, <name2>, ...

Select the authenticated user groups to apply this traffic shaping policy to.

The following options can be configured for actions to apply to the matched traffic:

GUI option

CLI option

Description

Outgoing interface

set dstintf <interface>

Select the destination interface that the traffic shaping applies to (required).

Apply shaper

Shared shaper

set traffic-shaper <shaper>

Select the shared shaper to be applied to traffic in the ingress-to-egress direction. For example, on traffic that egresses on the wan interface, the shaper is applied to upload or outbound traffic.

Reverse shaper

set traffic-shaper-reverse <shaper>

Select the reverse shaper to be applied to traffic in the egress-to-ingress direction. For example, on traffic that egresses on the wan interface, the shaper is applied to download or inbound traffic.

Per-IP shaper

set per-ip-shaper <shaper>

Select the per-IP shaper. Per-IP shapers affect downloads and uploads. The allotted bandwidth applies to each individual IP. In a shared shaper, the allotted bandwidth applies to all IPs.

Assign shaping class ID

Traffic shaping class ID

set class-id <class>

Set the class ID to apply the matching traffic. Class IDs are further prioritized within a traffic shaping profile and applied to an interface.

n/a

set diffserv-forward {enable | disable}

set diffservcode-forward <code>

set diffserv-reverse {enable | disable}

set diffservcode-reverse <code>

Specify the settings to apply a DSCP tag to the forward or reverse traffic. The DiffServ code is in 6-bit binary format.

These options can only be configured in the CLI.

Traffic shapers and class IDs can be applied at the same time when configuring traffic shaping policies. However, to reduce the complexity, it is recommended to use one method over the other.

The following topics include examples with traffic shaping policies:

Traffic shaping policies

Traffic shaping policies

A traffic shaping policy is a rule that matches traffic to a traffic shaper or assign them to a class based on certain IP header fields and/or upper layer criteria. The matching traffic will apply a traffic shaper, class ID, or assign a DSCP DiffServ tag to the outgoing traffic. For example, it can match traffic based on source and destination IP, service, application, and URL category. One common use case is to match traffic based on the ToS or DS (differentiated services) field in the IP header. This allows Type of Service or Differentiated Services (DiffServ) tags to be read from traffic from a downstream device and prioritized accordingly on the FortiProxy based on the traffic shaper or the shaping profile applied on the interface.

The traffic shaping policies must be placed in the correct order in the traffic shaping policy list page to obtain the desired results. Policies are matched from top-down, so the traffic shaping policies should be arranged in a sequence that places the more granular policies above general policies.

The policy can be configured by going to Policy & Objects > Traffic Shaping and selecting the Traffic Shaping Policies tab. If the menu does not display the traffic shaping settings, go to System > Feature Visibility and enable Traffic Shaping.

Configuring traffic shaping policies

A traffic shaping policy can be split into two parts:

  • Options used to match the traffic
  • Options used to apply actions to the matched traffic

The following options can be configured for traffic matching criteria. Some options can only be configured from the CLI.

GUI option

(under Policy & Objects > Traffic Shaping > Traffic Shaping Policies)

CLI option

(under config firewall shaping-policy)

Description

Source

Address

set srcaddr <address_object>

Select the address object to match the source IP.

Destination

Address

set dstaddr <address_object>

Select the address object to match the destination IP.

Service Type

set service-type [service|internet-service]

Select the service type: firewall service or internet service.

Service

set service <name1>, <name2>

Select the firewall service or service group for the traffic.

Internet Service

set internet-service-name <name>

set internet-service-group <group>

set internet-service-custom <custom>

set internet-service-custom-group <custom_group>

Select the internet service to match the destination of the incoming traffic. Internet service currently cannot be used with destination address and service.

Users

set users <name1>, <name2>, ...

Select the authenticated users to apply this traffic shaping policy to.

Groups

set groups <name1>, <name2>, ...

Select the authenticated user groups to apply this traffic shaping policy to.

The following options can be configured for actions to apply to the matched traffic:

GUI option

CLI option

Description

Outgoing interface

set dstintf <interface>

Select the destination interface that the traffic shaping applies to (required).

Apply shaper

Shared shaper

set traffic-shaper <shaper>

Select the shared shaper to be applied to traffic in the ingress-to-egress direction. For example, on traffic that egresses on the wan interface, the shaper is applied to upload or outbound traffic.

Reverse shaper

set traffic-shaper-reverse <shaper>

Select the reverse shaper to be applied to traffic in the egress-to-ingress direction. For example, on traffic that egresses on the wan interface, the shaper is applied to download or inbound traffic.

Per-IP shaper

set per-ip-shaper <shaper>

Select the per-IP shaper. Per-IP shapers affect downloads and uploads. The allotted bandwidth applies to each individual IP. In a shared shaper, the allotted bandwidth applies to all IPs.

Assign shaping class ID

Traffic shaping class ID

set class-id <class>

Set the class ID to apply the matching traffic. Class IDs are further prioritized within a traffic shaping profile and applied to an interface.

n/a

set diffserv-forward {enable | disable}

set diffservcode-forward <code>

set diffserv-reverse {enable | disable}

set diffservcode-reverse <code>

Specify the settings to apply a DSCP tag to the forward or reverse traffic. The DiffServ code is in 6-bit binary format.

These options can only be configured in the CLI.

Traffic shapers and class IDs can be applied at the same time when configuring traffic shaping policies. However, to reduce the complexity, it is recommended to use one method over the other.

The following topics include examples with traffic shaping policies: