SD-WAN traffic shaping and QoS with SD-WAN

SD-WAN traffic shaping and QoS with SD-WAN

Use traffic shaper in a firewall shaping policy to control traffic flow. You can use it to control maximum and guaranteed bandwidth, or put certain traffic to one of the three different traffic priorities: high, medium, or low.

An advanced shaping policy can classify traffic into 30 groups. Use a shaping profile to define the percentage of the interface bandwidth that is allocated to each group. Each group of traffic is shaped to the assigned speed limit based on the outgoing bandwidth limit configured on the interface.

For more information, see the online help on shared policy traffic shaping and interface-based traffic shaping.

Sample topology

Sample configuration

This example shows a typical customer usage where the customer’s SD-WAN has two member: wan1 and wan2 and each is 10Mb/s.

An overview of the procedures to configure SD-WAN traffic shaping and QoS with SD-WAN includes:

  1. Give HTTP/HTTPS traffic high priority and give FTP low priority so that if there are conflicts, FortiGate will forward HTTP/HTTPS traffic first.
  2. Even though FTP has low priority, configure FortiGate to give it a 1Mb/s guaranteed bandwidth on each SD-WAN member so that if there is no FTP traffic, other traffic can use all the bandwidth. If there is heavy FTP traffic, it can still be guaranteed a 1Mb/s bandwidth.
  3. Traffic going to specific destinations such as a VOIP server uses wan1 to forward, and SD-WAN forwards with an Expedited Forwarding (EF) DSCP tag 101110.

To configure SD-WAN traffic shaping and QoS with SD-WAN in the GUI:

  1. On the FortiGate, enable SD-WAN and add wan1 and wan2 as SD-WAN members, then add a policy and static route.

See Creating the SD-WAN interface on page 105.

  1. When you add a firewall policy, enable Application Control.
  2. Go to Policy & Objects > Traffic Shapers and edit low-priority.
    1. Enable Guaranteed Bandwidth and set it to 1000
  3. Go to Policy & Objects > Traffic Shaping Policy and click Create New.
    1. Name the traffic shaping policy, for example, HTTP-HTTPS.
    2. Click the Source box and select all.
    3. Click the Destination box and select all.
    4. Click the Service box and select HTTP and HTTPS.
    5. Click the Outgoing Interface box and select SD-WAN.
    6. Enable both Shared Shaper and Reverse Shaper and select high-priority for both options. Click OK.
  4. Go to Policy & Objects > Traffic Shaping Policy and click Create New.
    1. Name the traffic shaping policy, for example, FTP.
    2. Click the Source box and select all.
    3. Click the Destination box and select all.
    4. Click the Service box and select FTP, FTP_GET, and FTP_PUT.
    5. Click the Outgoing Interface box and select SD-WAN.
    6. Enable both Shared Shaper and Reverse Shaper and select low-priority for both options. Click OK
  5. Go to Network > SD-WAN Rules and click Create New.
    1. Enter a name for the rule, such as Internet.
    2. In the Destination section, click the Address box and select the VOIP server you created in the firewall address.
    3. For Strategy, select Manual.
    4. For Interface preference, select wan1.
    5. Click OK.
  6. Use CLI commands to modify DSCP settings. See the DSCP CLI commands below.

To configure the firewall policy using the CLI:

config firewall policy edit 1 set name “1” set srcintf “dmz” set dstintf “”virtual-wan-link”” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set nat enable

next

end

To configure the firewall traffic shaper priority using the CLI:

config firewall shaper traffic-shaper edit “high-priority” set maximum-bandwidth 1048576 set per-policy enable

next edit “low-priority” set guaranteed-bandwidth 1000 set maximum-bandwidth 1048576 set priority low set per-policy enable

next

end

To configure the firewall traffic shaping policy using the CLI:

config firewall shaping-policy edit 1 set name “http-https” set service “HTTP” “HTTPS” set dstintf “virtual-wan-link” set traffic-shaper “high-priority” set traffic-shaper-reverse “high-priority”

set srcaddr “all” set dstaddr “all” next edit 2 set name “FTP” set service “FTP” “FTP_GET” “FTP_PUT” set dstintf “virtual-wan-link” set traffic-shaper “low-priority” set traffic-shaper-reverse “low-priority”

set srcaddr “all” set dstaddr “all”

next

end

To configure SD-WAN traffic shaping and QoS with SD-WAN in the CLI:

config system virtual-wan-link set status enable config members edit 1 set interface “wan1” set gateway x.x.x.x

next edit 2 set interface “wan2” set gateway x.x.x.x

next

end config service edit 1 set name “SIP” set member 1 set dst “voip-server” set dscp-forward enable set dscp-forward-tag 101110

next

end

end

To use the diagnose command to check if specific traffic is attached to the correct traffic shaper:

# diagnose firewall iprope list 100015

policy index=1 uuid_idx=0 action=accept flag (0):

shapers: orig=high-priority(2/0/134217728) reply=high-priority(2/0/134217728) cos_fwd=0 cos_rev=0 group=00100015 av=00000000 au=00000000 split=00000000 host=0 chk_client_info=0x0 app_list=0 ips_view=0 misc=0 dd_type=0 dd_mode=0 zone(1): 0 -> zone(2): 36 38

source(1): 0.0.0.0-255.255.255.255, uuid_idx=6, dest(1): 0.0.0.0-255.255.255.255, uuid_idx=6, service(2):

[6:0x0:0/(1,65535)->(80,80)] helper:auto

[6:0x0:0/(1,65535)->(443,443)] helper:auto policy index=2 uuid_idx=0 action=accept

flag (0):

shapers: orig=low-priority(4/128000/134217728) reply=low-priority(4/128000/134217728) cos_fwd=0 cos_rev=0 group=00100015 av=00000000 au=00000000 split=00000000 host=0 chk_client_info=0x0 app_list=0 ips_view=0 misc=0 dd_type=0 dd_mode=0 zone(1): 0 -> zone(2): 36 38

source(1): 0.0.0.0-255.255.255.255, uuid_idx=6, dest(1): 0.0.0.0-255.255.255.255, uuid_idx=6, service(3):

[6:0x0:0/(1,65535)->(21,21)] helper:auto

[6:0x0:0/(1,65535)->(21,21)] helper:auto

[6:0x0:0/(1,65535)->(21,21)] helper:auto

FGT_A (root) #

To use the diagnose command to check if the correct traffic shaper is applied to the session:

# dia sys session list

session info: proto=6 proto_state=01 duration=11 expire=3599 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=5

origin-shaper=low-priority prio=4 guarantee 128000Bps max 1280000Bps traffic 1050Bps drops 0B reply-shaper= per_ip_shaper=

class_id=0 shaping_policy_id=2 ha_id=0 policy_dir=0 tunnel=/ helper=ftp vlan_cos=0/255 state=may_dirty npu npd os mif route_preserve

statistic(bytes/packets/allow_err): org=868/15/1 reply=752/10/1 tuples=2

tx speed(Bps/kbps): 76/0 rx speed(Bps/kbps): 66/0 orgin->sink: org pre->post, reply pre->post dev=39->38/38->39 gwy=172.16.200.55/0.0.0.0 hook=post dir=org act=snat 10.1.100.11:58241->172.16.200.55:21(172.16.200.1:58241) hook=pre dir=reply act=dnat 172.16.200.55:21->172.16.200.1:58241(10.1.100.11:58241) pos/(before,after) 0/(0,0), 0/(0,0) misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=4 serial=0003255f tos=ff/ff app_list=0 app=0 url_cat=0 rpdb_link_id = 00000000 dd_type=0 dd_mode=0 npu_state=0x100000

npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000 vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0 no_ofld_reason: offload-denied helper total session 1

To use the diagnose command to check the status of a shared traffic shaper:

# diagnose firewall shaper traffic-shaper list

name high-priority maximum-bandwidth 131072 KB/sec guaranteed-bandwidth 0 KB/sec current-bandwidth 0 B/sec priority 2 tos ff packets dropped 0 bytes dropped 0 name low-priority maximum-bandwidth 131072 KB/sec guaranteed-bandwidth 125 KB/sec current-bandwidth 0 B/sec priority 4 tos ff packets dropped 0 bytes dropped 0

name high-priority maximum-bandwidth 131072 KB/sec guaranteed-bandwidth 0 KB/sec current-bandwidth 0 B/sec priority 2 policy 1 tos ff packets dropped 0 bytes dropped 0

name low-priority maximum-bandwidth 131072 KB/sec guaranteed-bandwidth 125 KB/sec current-bandwidth 0 B/sec priority 4 policy 2 tos ff packets dropped 0 bytes dropped 0

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.