FortiGate traffic

FortiGate traffic

Security Policies do not apply to Administrative access to the FortiGate through HTTPS or SSH, or IPsec tunnel negotiations, and therefore FortiGate units do not apply traffic shaping. Such traffic also uses the highest priority queue, queue 0. In other words:

packet priority = 0

Exceptions to this rule include traffic types that are connections related to a session governed by a security policy. For example, if you have enabled scanning by FortiGuard antivirus, traffic from the sender technically terminates at the FortiGate proxy that scans that traffic type; the FortiGate unit initiates a second connection that transmits scanned content to its destination. Because the second connection’s traffic is technically originating from the FortiGate proxy and therefore the FortiGate unit itself, it uses the highest priority queue, queue 0. However, this connection is logically associated with through traffic, and is therefore subject to possible bandwidth enforcement and guarantees in its governing security policy. In this way, it behaves partly like other through traffic.

 

Through traffic

For traffic passing through the FortiGate unit, the method a FortiGate unit uses to determine the priority queue varies by whether Traffic Shaping is enabled or not. Packets may or may not use a priority queue directly or indirectly derived from the type of service (ToS) bit — sometimes used instead with differentiated services — in the packet’s IP header.

If Traffic Shaping is not applied to a security policy, the FortiGate unit neither limits nor guarantees bandwidth, and traffic for that session uses the priority queue determined directly by matching the ToS bit in its header with your configured values:

 

config system global

set traffic-priority tos

set traffic-priority-level {high | low | medium}

end

 

or, if you have configured a priority specifically for that ToS bit value:

 

config system tos-based-priority edit <id_int>

set tos [0-15]

set priority {high | low | medium}

end

 

where tos is the value of the ToS bit in the packcet’s IP header, and high has a priority value of 0 and low is 2. Priority values configured in the second location will override the global ToS-based priority. In other words:

 

packet priority = ToS-based priority

 

For example, you might specify that packets with a ToS bit value of 2 should use queue 0, the highest priority queue:

 

config system tos-based-priority edit 15

set tos 2

set priority high next

end

 

If traffic shaping is applied to a security policy using a shared shaper, the FortiGate unit may subject packets to traffic policing or priority queue increases in an effort to meet bandwidth guarantees configured in the shaper.

 

For example, you might create a Shared Shaper, where high has a priority value of 1 and low is 3, and <rate> is the bandwidth limit in kilobits per second:

config firewall shaper traffic-shaper edit <shaper_name>

set priority {high | medium | low}

set maximum-bandwidth <rate>

set guaranteed-bandwidth <rate>

end

 

Note that it is also necessary to create a traffic shaping policy and set it to use the shared shaper:

config firewall shaping-policy edit <policy ID>

set srcaddr <source address>

set dstaddr <destination address>

set service <service name>

set dstintf <destination interface list>

set traffic-shaper <shaper_name>

end

 

The diagram below illustrates traffic queuing as the packet rate increases.

 

 

Traffic queuing as the packet rate increases

  • If the current packet rate is less than Guaranteed Bandwidth, packets use priority queue 0:

packet priority = 0

  • If the current packet rate is greater than Guaranteed Bandwidth but less than Maximum Bandwidth, the FortiGate unit assigns a priority queue by adding the numerical value of the security policy-based priority, where the value of High is 1, and Low is 3, with the numerical value of the ToS-based priority, where high has a priority value of 0 and low is 2. Because the two values are added, depending on the configured ToS-based priorities, packets in this category could use queues from queue 1 to queue 5. In other words:

packet priority = ToS-based priority + security policy-based priority

  • If you have enabled Traffic Shaping in the security policy, and the security policy’s Traffic Priority is Low (value 3), and the priority normally applied to packets with that ToS bit is medium (value 1), then packets have a total packet priority of 4, and use priority queue 4.
  • If the current packet rate exceeds Maximum Bandwidth, excess packets are dropped.
This entry was posted in FortiGate, FortiOS, FortiOS 5.4 Handbook and tagged , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.