Fortinet white logo
Fortinet white logo

Administration Guide

Ingress traffic shaping profile

Ingress traffic shaping profile

A traffic shaping profile can be applied to an interface for traffic in the ingress direction. Similar to an egress traffic shaping profile, the guaranteed bandwidth and priority of the profile will be respected when an interface receives inbound traffic. When congestion occurs, any remaining bandwidth will be allotted to classes based on priority.

Example

In this example, the port2 interface has a total inbound bandwidth of 100 Mbps. Traffic from certain clients to certain servers are assigned different classes.

IPv6 traffic from any client PCs to server PCs is assigned class 5.

For each class, the priority, guaranteed bandwidth, and maximum bandwidth are as follows:

Class

Priority

Guaranteed bandwidth

Maximum bandwidth

2

Low

10%

60%

3

High

20%

100%

4

High

30%

100%

5

Medium

10%

50%

Bandwidth will first be allotted to each class according to its guaranteed bandwidth. Then remaining available bandwidth will be allotted to class 3 and 4 first based on their priority. The allocation will be proportional to their guaranteed bandwidth ratio.

To configure ingress traffic shaping:
  1. Configure the client and server addresses:
    config firewall address
        edit "pc1"
            set subnet 10.1.100.11 255.255.255.255
        next
        edit "pc2"
            set subnet 10.1.100.22 255.255.255.255
        next
        edit "pc4"
            set subnet 172.16.200.44 255.255.255.255
        next
        edit "pc5"
            set subnet 172.16.200.55 255.255.255.255
        next
    end
  2. Configure the class IDs:
    config firewall traffic-class
        edit 2
            set class-name "class2"
        next
        edit 3
            set class-name "class3"
        next
        edit 4
            set class-name "class4"
        next
        edit 4
            set class-name "class5"
        next
    end
  3. Configure traffic shaping policies to assign classes to each group of traffic.
    1. Configure a policy to assign traffic from PC1 to PC4 in class 2:
      config firewall shaping-policy
          edit 1
              set name "shaping policy 1"
              set service "ALL"
              set dstintf "wan1"
              set class-id 2
              set srcaddr "pc1"
              set dstaddr "pc4"
          next
      end
    2. Configure a policy to assign traffic from PC2 to PC4 in class 3:
      config firewall shaping-policy
          edit 2
              set name "shaping policy 2"
              set service "ALL"
              set dstintf "wan1"
              set class-id 3
              set srcaddr "pc2"
              set dstaddr "pc4"
          next
      end
    3. Configure a policy to assign traffic from PC2 to PC5 in class 4:
      config firewall shaping-policy
          edit 3
              set name "shaping policy 3"
              set service "ALL"
              set dstintf "wan1"
              set class-id 4
              set srcaddr "pc2"
              set dstaddr "pc5"
          next
      end
    4. Configure a policy to assign all IPv6 traffic to class 5:
      config firewall shaping-policy
          edit 4
              set name "shaping policy 4"
              set ip-version 6
              set service "ALL"
              set dstintf "wan1"
              set class-id 5
              set srcaddr6 "all"
              set dstaddr6 "all"
          next
      end
  4. Configure a shaping profile to set the priority, and the guaranteed and maximum bandwidth percentages for each class:
    config firewall shaping-profile
        edit "ingShapeProfile"
            set default-class-id 2
            config shaping-entries
                edit 2
                    set class-id 2
                    set priority low
                    set guaranteed-bandwidth-percentage 10
                    set maximum-bandwidth-percentage 60
                next
                edit 3
                    set class-id 3
                    set guaranteed-bandwidth-percentage 20
                    set maximum-bandwidth-percentage 100
                next
                edit 4
                    set class-id 4
                    set guaranteed-bandwidth-percentage 30
                    set maximum-bandwidth-percentage 100
                next
                edit 5
                    set class-id 5
                    set priority medium
                    set guaranteed-bandwidth-percentage 10
                    set maximum-bandwidth-percentage 50
                next
            end
        next
    end
  5. Configure the inbandwidth and apply the ingress shaping profile on port2:
    config system interface
        edit "port2"
            set ip 10.1.100.1 255.255.255.0
            set inbandwidth 100000
            set ingress-shaping-profile "ingShapeProfile"
            config ipv6
                set ip6-address 2000:10:1:100::1/64
            end
        next
    end

    Inbandwidth must be configured for traffic shaping to take effect.

  6. Configure firewall policies to allow IPv4 and IPv6 traffic to go through. Since traffic shaping is for inbound traffic on port2, the policy is defined from port2 to wan1:
    config firewall policy
        edit 20
            set uuid d9f9be4c-eaab-51ed-41d6-783cecc11c0c
            set srcintf "port2"
            set dstintf "wan1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set logtraffic all
        next
    end
    config firewall policy
        edit 21
            set uuid c535a92a-eaac-51ed-6e6c-3943f8c2dc8f
            set srcintf "port2"
            set dstintf "wan1"
            set srcaddr6 "all"
            set dstaddr6 "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set logtraffic all
        next
    end

Ingress traffic shaping profile

Ingress traffic shaping profile

A traffic shaping profile can be applied to an interface for traffic in the ingress direction. Similar to an egress traffic shaping profile, the guaranteed bandwidth and priority of the profile will be respected when an interface receives inbound traffic. When congestion occurs, any remaining bandwidth will be allotted to classes based on priority.

Example

In this example, the port2 interface has a total inbound bandwidth of 100 Mbps. Traffic from certain clients to certain servers are assigned different classes.

IPv6 traffic from any client PCs to server PCs is assigned class 5.

For each class, the priority, guaranteed bandwidth, and maximum bandwidth are as follows:

Class

Priority

Guaranteed bandwidth

Maximum bandwidth

2

Low

10%

60%

3

High

20%

100%

4

High

30%

100%

5

Medium

10%

50%

Bandwidth will first be allotted to each class according to its guaranteed bandwidth. Then remaining available bandwidth will be allotted to class 3 and 4 first based on their priority. The allocation will be proportional to their guaranteed bandwidth ratio.

To configure ingress traffic shaping:
  1. Configure the client and server addresses:
    config firewall address
        edit "pc1"
            set subnet 10.1.100.11 255.255.255.255
        next
        edit "pc2"
            set subnet 10.1.100.22 255.255.255.255
        next
        edit "pc4"
            set subnet 172.16.200.44 255.255.255.255
        next
        edit "pc5"
            set subnet 172.16.200.55 255.255.255.255
        next
    end
  2. Configure the class IDs:
    config firewall traffic-class
        edit 2
            set class-name "class2"
        next
        edit 3
            set class-name "class3"
        next
        edit 4
            set class-name "class4"
        next
        edit 4
            set class-name "class5"
        next
    end
  3. Configure traffic shaping policies to assign classes to each group of traffic.
    1. Configure a policy to assign traffic from PC1 to PC4 in class 2:
      config firewall shaping-policy
          edit 1
              set name "shaping policy 1"
              set service "ALL"
              set dstintf "wan1"
              set class-id 2
              set srcaddr "pc1"
              set dstaddr "pc4"
          next
      end
    2. Configure a policy to assign traffic from PC2 to PC4 in class 3:
      config firewall shaping-policy
          edit 2
              set name "shaping policy 2"
              set service "ALL"
              set dstintf "wan1"
              set class-id 3
              set srcaddr "pc2"
              set dstaddr "pc4"
          next
      end
    3. Configure a policy to assign traffic from PC2 to PC5 in class 4:
      config firewall shaping-policy
          edit 3
              set name "shaping policy 3"
              set service "ALL"
              set dstintf "wan1"
              set class-id 4
              set srcaddr "pc2"
              set dstaddr "pc5"
          next
      end
    4. Configure a policy to assign all IPv6 traffic to class 5:
      config firewall shaping-policy
          edit 4
              set name "shaping policy 4"
              set ip-version 6
              set service "ALL"
              set dstintf "wan1"
              set class-id 5
              set srcaddr6 "all"
              set dstaddr6 "all"
          next
      end
  4. Configure a shaping profile to set the priority, and the guaranteed and maximum bandwidth percentages for each class:
    config firewall shaping-profile
        edit "ingShapeProfile"
            set default-class-id 2
            config shaping-entries
                edit 2
                    set class-id 2
                    set priority low
                    set guaranteed-bandwidth-percentage 10
                    set maximum-bandwidth-percentage 60
                next
                edit 3
                    set class-id 3
                    set guaranteed-bandwidth-percentage 20
                    set maximum-bandwidth-percentage 100
                next
                edit 4
                    set class-id 4
                    set guaranteed-bandwidth-percentage 30
                    set maximum-bandwidth-percentage 100
                next
                edit 5
                    set class-id 5
                    set priority medium
                    set guaranteed-bandwidth-percentage 10
                    set maximum-bandwidth-percentage 50
                next
            end
        next
    end
  5. Configure the inbandwidth and apply the ingress shaping profile on port2:
    config system interface
        edit "port2"
            set ip 10.1.100.1 255.255.255.0
            set inbandwidth 100000
            set ingress-shaping-profile "ingShapeProfile"
            config ipv6
                set ip6-address 2000:10:1:100::1/64
            end
        next
    end

    Inbandwidth must be configured for traffic shaping to take effect.

  6. Configure firewall policies to allow IPv4 and IPv6 traffic to go through. Since traffic shaping is for inbound traffic on port2, the policy is defined from port2 to wan1:
    config firewall policy
        edit 20
            set uuid d9f9be4c-eaab-51ed-41d6-783cecc11c0c
            set srcintf "port2"
            set dstintf "wan1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set logtraffic all
        next
    end
    config firewall policy
        edit 21
            set uuid c535a92a-eaac-51ed-6e6c-3943f8c2dc8f
            set srcintf "port2"
            set dstintf "wan1"
            set srcaddr6 "all"
            set dstaddr6 "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set logtraffic all
        next
    end