Traffic shaping
Interface bandwidth limit
You can limit interface bandwidth for arriving and departing traffic. In some cases, the traffic received on an interfaces could exceed the maximum bandwidth limit defined in the security policy. Rather than waste processing power on packets that will get dropped later in the process, you can configure FortiGate to preemptively drop excess packets when they’re received at the source interface. A similar command is available to the outgoing interface.
The following diagram shows how excess packets going from LAN to WAN1 can be intercepted and dropped at the source interface.
To configure an interface bandwidth limit on the FortiOS GUI:
- Go to Interface.
- Click interface port1, and click Edit on top menu bar.
- Go to the Traffic Shaping section, and set the following options:
- Enable Inbound Bandwidth and type 200. The default bandwidth unit is kbps.
- Enable Outbound Bandwidth and type 400.
The default bandwidth unit is kbps.
- Click OK.
To configure an interface bandwidth limit on the FortiOS CLI:
- On the FortiGate, configure the interface bandwidth limit:
config system interface edit “port1” …..
set inbandwidth 200 set outbandwidth 400 ….. next
end
ToS-based traffic prioritization
This traffic prioritization method puts packets into the following queues based on its Type of Service (ToS) value: l High l Medium l Low
ToS-based traffic prioritization cannot be used to apply bandwidth limits and guarantees, but it can be used to prioritize traffic at per-packet levels.
You can use the following command to configure the default system-wide level of priority:
config system global set traffic-priority-level {high | low | medium}
end
You can also prioritize packets according to the ToS bit value in the packet’s IP header by using the following command: config system tos-based-priority edit <id_int> set tos [0-15]
set priority {high | low | medium}
next
end
Example
The following configuration shows that packets with ToS bit values of 10 are prioritized as medium and packets with ToS bit values of 20 are prioritized as high. All the other traffic is prioritized as low.
config system global set traffic-priority-level low end
config system tos-based-priority edit 1 set tos 10 set priority medium
next edit 2 set tos 20 set priority high
next
end
Shared traffic shaper
Shared traffic shaper is used in a firewall shaping policy to indicate the priority and guaranteed and maximum bandwidth for a specified type of traffic use.
The maximum bandwidth indicates the largest amount of traffic allowed when using the policy. You can set the maximum bandwidth to a value between 1 and 16776000 Kbps. The GUI displays an error if any value outside this range is used. If you want to allow unlimited bandwidth, use the CLI to enter a value of 0.
The guaranteed bandwidth ensures that there is a consistent reserved bandwidth available. When setting the guaranteed bandwidth, ensure that the value is significantly less than the interface’s bandwidth capacity. Otherwise, the interface will allow very little or no other traffic to pass through, potentially causing unwanted latency.
In a shared traffic shaper, the administrator can prioritize certain traffic as high, medium, or low. FortiOS provides bandwidth to low priority connections only when high priority connections do not need the bandwidth. For example, you should assign a high traffic priority to a policy for connecting a secure web server that needs to support e-commerce traffic. You should assign less important services a low priority.
When you configure a shared traffic shaper, you can apply bandwidth shaping per policy or for all policies. By default, a shared traffic shaper applies traffic shaping evenly to all policies that use the shared traffic shaper.
When configuring a per-policy traffic shaper, FortiOS applies the traffic shaping rules defined for each security policy individually. For example, if a per-policy traffic shaper is configured with a maximum bandwidth of 1000 Kbps, any security policies that have that traffic shaper enabled get 1000 Kbps of bandwidth each.
If a traffic shaper for all policies is configured with a maximum bandwidth of 1000 Kbps, all policies share the 1000 Kbps on a first-come, first-served basis.
The configuration is as follows:
config firewall shaper traffic-shaper edit “traffic_shaper_name” set per-policy enable
next
end
The shared traffic shaper selected in the traffic shaping policy affects traffic in the direction defined in the policy. For example, if the source port is LAN and the destination is WAN1, the traffic shaping affects the flow in this direction only, affecting the outbound traffic’s upload speed. You can define the traffic shaper for the policy in the opposite direction (reverse shaper) to affect the inbound traffic’s download speed. In this example, that would be from WAN1 to LAN.
The following example shows how to apply different speeds to different types of service. The example configures two shared traffic shapers to use in two firewall shaping policies. One policy guarantees a speed of 10 Mbps for VoIP traffic.
The other policy guarantees a speed of 1 Mbps for other traffic. In the example, FortiOS communicates with a PC using port10 and the Internet using port9.
To configure shared traffic shapers in the FortiOS GUI:
- Create a firewall policy:
- Go to Policy & Objects > IPv4 Policy. Click Create New.
- In the Name field, enter Internet Access.
- From the Incoming Interface dropdown list, select port10.
- From the Outgoing Interface dropdown list, select port9.
- For the Source and Destination fields, select all.
- From the Schedule dropdown list, select always.
- For the Service field, select ALL.
- Click OK.
- Create the shared traffic shapers:
- Go to Policy & Objects > Traffic Shapers. Click Create New.
- In the Name field, enter 10Mbps. This shaper is for VoIP traffic.
- From the Traffic Priority dropdown list, select High.
- Enable Max Bandwidth and enter 20000. This equates to 20 Mbps.
- Enable Guaranteed Bandwidth and enter 10000. This equates to 10 Mbps.
- Click OK.
- Repeat the process above to create another traffic shaper named 1Mbps. Set the Traffic Priority to Low, the Max Bandwidth and Guaranteed Bandwidth to 10000.
- Create a firewall shaping policy:
- Go to Policy & Objects > Traffic Shaping Policy. Click Create New.
- In the Name field, enter VoIP_10Mbps_High. This policy is for VoIP traffic.
- For the Source and Destination fields, select all.
- For the Service field, select all VoIP services.
- For the Outgoing Interface field, select port9.
- Enable Shared shaper. Select 10Mbps from the dropdown list.
- Enable Reverse shaper. Select 10Mbps from the dropdown list.
- Click OK.
- Repeat the process above to create a firewall shaping policy named Other_1Mbps_Low for other traffic. Set the Source and Destination to all, Service to ALL, Outgoing Interface to port9, and Shared shaper and Reverse shaper to 1Mbps.
To configure shared traffic shapers using the FortiOS CLI:
- Create a firewall policy:
config firewall policy edit 1 set name “Internet Access” set srcintf “port10” set dstintf “port9” set srcaddr “all” set dstaddr “all” set action accept
set schedule “always” set service “ALL” set fsso disable set nat enable
next
end
- Create the shared traffic shapers:
config firewall shaper traffic-shaper edit “10Mbps” set guaranteed-bandwidth 10000 set maximum-bandwidth 20000
next edit “1Mbps” set guaranteed-bandwidth 1000 set maximum-bandwidth 10000 set priority low
next
end
- Create a firewall shaping policy:
config firewall shaping-policy edit 1 set name “VOIP_10Mbps_High”
set service “H323” “IRC” “MS-SQL” “MYSQL” “RTSP” “SCCP” “SIP” “SIP-MSNmessenger” set dstintf “port9” set traffic-shaper “10Mbps” set traffic-shaper-reverse “10Mbps”
set srcaddr “all” set dstaddr “all”
next edit 2 set name “Other_1Mbps_Low” set service “ALL” set dstintf “port9” set traffic-shaper “1Mbps” set traffic-shaper-reverse “1Mbps”
set srcaddr “all” set dstaddr “all”
next
end
To troubleshoot shared traffic shapers:
- To check if specific traffic is attached to the correct traffic shaper, run the diagnose firewall iprope list 100015 command. The example output shows the traffic attached to the 10Mbps and 1Mbps shapers:
# diagnose firewall iprope list 100015
policy index=1 uuid_idx=0 action=accept flag (0):
shapers: orig=10Mbps(2/1280000/2560000) cos_fwd=0 cos_rev=0 group=00100015 av=00000000 au=00000000 split=00000000 host=4 chk_client_info=0x0 app_list=0 ips_view=0 misc=0 dd_type=0 dd_mode=0 zone(1): 0 -> zone(1): 38
source(1): 0.0.0.0-255.255.255.255, uuid_idx=0, dest(1): 0.0.0.0-255.255.255.255, uuid_idx=0, service(15):
[6:0x0:0/(1,65535)->(1720,1720)] helper:auto
[6:0x0:0/(1,65535)->(1503,1503)] helper:auto
[17:0x0:0/(1,65535)->(1719,1719)] helper:auto
[6:0x0:0/(1,65535)->(6660,6669)] helper:auto
[6:0x0:0/(1,65535)->(1433,1433)] helper:auto
[6:0x0:0/(1,65535)->(1434,1434)] helper:auto
[6:0x0:0/(1,65535)->(3306,3306)] helper:auto
[6:0x0:0/(1,65535)->(554,554)] helper:auto
[6:0x0:0/(1,65535)->(7070,7070)] helper:auto
[6:0x0:0/(1,65535)->(8554,8554)] helper:auto
[17:0x0:0/(1,65535)->(554,554)] helper:auto
[6:0x0:0/(1,65535)->(2000,2000)] helper:auto
[6:0x0:0/(1,65535)->(5060,5060)] helper:auto
[17:0x0:0/(1,65535)->(5060,5060)] helper:auto [6:0x0:0/(1,65535)->(1863,1863)] helper:auto
policy index=2 uuid_idx=0 action=accept flag (0):
shapers: orig=1Mbps(4/128000/1280000) cos_fwd=0 cos_rev=0 group=00100015 av=00000000 au=00000000 split=00000000 host=4 chk_client_info=0x0 app_list=0 ips_view=0 misc=0 dd_type=0 dd_mode=0 zone(1): 0 -> zone(1): 38
source(1): 0.0.0.0-255.255.255.255, uuid_idx=0, dest(1): 0.0.0.0-255.255.255.255, uuid_idx=0, service(1):
[0:0x0:0/(0,0)->(0,0)] helper:auto
- To check if the correct traffic shaper is applied to the session, run the diagnose sys session list command. The example output shows that the 1Mbps shaper is applied to the session:
# dia sys session list
session info: proto=6 proto_state=01 duration=11 expire=3599 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=5
origin-shaper=1Mbps prio=4 guarantee 128000Bps max 1280000Bps traffic 1050Bps drops 0B reply-shaper= per_ip_shaper=
class_id=0 shaping_policy_id=2 ha_id=0 policy_dir=0 tunnel=/ helper=ftp vlan_cos=0/255 state=may_dirty npu npd os mif route_preserve
statistic(bytes/packets/allow_err): org=868/15/1 reply=752/10/1 tuples=2
tx speed(Bps/kbps): 76/0 rx speed(Bps/kbps): 66/0 orgin->sink: org pre->post, reply pre->post dev=39->38/38->39 gwy=172.16.200.55/0.0.0.0 hook=post dir=org act=snat 10.1.100.11:58241->172.16.200.55:21(172.16.200.1:58241) hook=pre dir=reply act=dnat 172.16.200.55:21->172.16.200.1:58241(10.1.100.11:58241) pos/(before,after) 0/(0,0), 0/(0,0) misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=4 serial=0003255f tos=ff/ff app_list=0 app=0 url_cat=0 rpdb_link_id = 00000000 dd_type=0 dd_mode=0 npu_state=0x100000
npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0 no_ofld_reason: offload-denied helper total session 1
- To check statuses of shared traffic shapers, run the diagnose firewall shaper traffic-shaper list command. The output should resemble the following: # dia firewall shaper traffic-shaper list
name 10Mbps maximum-bandwidth 2500 KB/sec guaranteed-bandwidth 1250 KB/sec current-bandwidth 0 B/sec priority 2 tos ff packets dropped 0 bytes dropped 0
name 1Mbps maximum-bandwidth 1250 KB/sec guaranteed-bandwidth 125 KB/sec current-bandwidth 0 B/sec priority 4 tos ff packets dropped 0 bytes dropped 0
Per-IP traffic shaper
With per-IP traffic shaping, you can limit each IP address’s behavior to avoid a situation where one user uses all of the available bandwidth. In addition to controlling the maximum bandwidth used per IP address, you can also define the maximum number of concurrent sessions for an IP address. For example, if you apply a per-IP shaper of 1 Mbps to your entire network, FortiOS allocates each user/IP address 1 Mbps of bandwidth. Even if the network consists of a single user, FortiOS allocates them 1 Mbps. If there are ten users, each user gets 1 Mbps of bandwidth, totaling 10 Mbps of outgoing traffic.
For shared shapers, all users share the set guaranteed and maximum bandwidths. For example, if you set a shared shaper for all PCs using an FTP service to 10 Mbps, all users uploading to the FTP server share the 10 Mbps.
Shared shapers affect upload speed. If you want to limit the download speed from the FTP server in the example, you must configure the shared shaper as a reverse shaper. Per-IP shapers apply the speed limit on both upload and download operations.
The following example shows how to apply a per-IP shaper to a traffic shaping policy. This shaper assigns each user a maximum bandwidth of 1 Mbps and allows each user to have a maximum of ten concurrent connections to the FTP server. In the example, FortiOS communicates with users using port10 and the FTP server using port9.
To configure a per-IP shaper in the FortiOS GUI:
- Create a firewall policy:
- Go to Policy & Objects > IPv4 Policy. Click Create New.
- In the Name field, enter FTP Access.
- From the Incoming Interface dropdown list, select port10.
- From the Outgoing Interface dropdown list, select port9.
- For the Source and Destination fields, select all and FTP_Server, respectively.
- From the Schedule dropdown list, select always.
- For the Service field, select ALL.
- Click OK.
- Create the per-IP traffic shaper:
- Go to Policy & Objects > Traffic Shapers. Click Create New.
- For Type, select Per-IP.
- In the Name field, enter FTP_Max_1M. This shaper is for VoIP traffic.
- Enable Max Bandwidth and enter 1000. This equates to 1 Mbps.
- Enable Max Concurrent Connections and enter 10. This means that each user can have up to ten concurrent connections to the FTP server.
- Click OK.
- Create a firewall shaping policy:
- Go to Policy & Objects > Traffic Shaping Policy. Click Create New.
- In the Name field, enter FTP speed 1M.
- For the Source fields, select the users that need to access the FTP server.
- For the Destination field, select FTP_Server.
- For the Service field, select ALL.
- For the Outgoing Interface field, select port9.
- Enable Per-IP shaper. Select FTP_Max_1M from the dropdown list.
- Click OK.
To configure a per-IP traffic shaper using the FortiOS CLI:
- Create a firewall policy:
config firewall policy edit 1 set name “FTP Access” set srcintf “port10” set dstintf “port9” set srcaddr “all” set dstaddr “FTP_Server” set action accept set schedule “always” set service “ALL” set fsso disable set nat enable
next
end
- Create the per-IP traffic shaper:
config firewall shaper per-ip-shaper edit “FTP_Max_1M” set max-bandwidth 1000 set max-concurrent-session 10
next
end
- Create a firewall shaping policy:
config firewall shaping-policy edit 1 set name “FTP speed 1M” set service “ALL” set dstintf “port9”
set per-ip-shaper “FTP_Max_1M” set srcaddr “PC1” “WinPC” “PC2” set dstaddr “FTP_Server”
next
end
To troubleshoot per-IP traffic shapers:
- To check if specific traffic is attached to the correct traffic shaper, run the diagnose firewall iprope list 100015 command. The example output shows the traffic attached to the FTP_Max_1M shaper:
# diagnose firewall iprope list 100015
policy index=3 uuid_idx=0 action=accept flag (0): shapers: per-ip=FTP_Max_1M cos_fwd=0 cos_rev=0 group=00100015 av=00000000 au=00000000 split=00000000 host=2 chk_client_info=0x0 app_list=0 ips_view=0 misc=0 dd_type=0 dd_mode=0 zone(1): 0 -> zone(1): 38
source(3): 10.1.100.11-10.1.100.11, uuid_idx=30, 10.1.100.143-10.1.100.143, uuid_idx=32,
10.1.100.22-10.1.100.22, uuid_idx=31, dest(1): 172.16.200.55-172.16.200.55, uuid_idx=89, service(1):
[0:0x0:0/(0,65535)->(0,65535)] helper:auto
- To check if the correct traffic shaper is applied to the session, run the diagnose sys session list command. The example output shows that the FTP_Max_1M shaper is applied to the session:
# dia sys session list
session info: proto=6 proto_state=01 duration=36 expire=3567 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper= reply-shaper= per_ip_shaper=FTP_Max_1M
class_id=0 shaping_policy_id=3 ha_id=0 policy_dir=0 tunnel=/ helper=ftp vlan_cos=0/255 state=may_dirty per_ip npu npd mif route_preserve
statistic(bytes/packets/allow_err): org=506/9/1 reply=416/6/1 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0 orgin->sink: org pre->post, reply pre->post dev=39->38/38->39 gwy=172.16.200.55/0.0.0.0 hook=post dir=org act=snat 10.1.100.11:58275->172.16.200.55:21(172.16.200.1:58275) hook=pre dir=reply act=dnat 172.16.200.55:21->172.16.200.1:58275(10.1.100.11:58275) pos/(before,after) 0/(0,0), 0/(0,0) misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=2 serial=0000211a tos=ff/ff app_list=0 app=0 url_cat=0 rpdb_link_id = 00000000 dd_type=0 dd_mode=0 npu_state=0x100000
npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0 no_ofld_reason: offload-denied helper
- To check statuses of per-IP traffic shapers, run the diagnose firewall shaper per-ip-shaper list command. The output should resemble the following: # diagnose firewall shaper per-ip-shaper list
name FTP_Max_1M maximum-bandwidth 125 KB/sec maximum-concurrent-session 10
tos ff/ff packets dropped 0 bytes dropped 0 addr=10.1.100.11 status: bps=0 ses=3
Type of Service-based prioritization and policy-based traffic shaping
Priority queues
After packet acceptance, FortiOS classifies traffic and may apply Quality of Service techniques such as prioritization and traffic shaping. Traffic shaping consists of a mixture of traffic policing to enforce bandwidth limits and priority queue adjustment to assist packets in achieving the guaranteed rate.
If you have configured prioritization, FortiOS prioritizes egressing packets by distributing them among first in first out queues associated with each possible priority number. Each physical interface has six priority queues. Virtual interfaces use the priority queues of the physical interface to which they are bound.
Each physical interface’s six queues are queue 0 to queue 5, where queue 0 is the highest priority queue. However, you may observe that your traffic uses only a subset of those six queues. For example, some traffic may always use a certain queue number. Queuing may also vary by the packet rate or mixture of services. Some queue numbers may only be used by through traffic for which you have configured traffic shaping in the security policy that applies to that traffic session.
Administrative access traffic always uses queue 0.
Traffic matching firewall policies without traffic shaping may use queue 0, queue 1, or queue 2. The queue is selected based on the priority value you have configured for packets with that Type of Service (ToS) bit value, if you have configured ToS-based priorities.
Traffic matching firewall shaping policies with traffic shaper enabled may use any queue. The queue is selected based on whether the packet rate is currently below the guaranteed bandwidth (queue 0), or above the guaranteed bandwidth. Packets at rates greater than the maximum bandwidth limit are dropped.
Priority types
Packets can be assigned a priority in one of three types:
- On entering ingress – for packets flowing through the firewall. l Upon generation – for packets generated by the firewall (including packets generated due to AV proxying).
- On passing through a firewall policy – for packets passing through a firewall policy (firewall shaping policy) that has a traffic shaper defined.
ToS priority
The first and second types, ingress priority and priority for generated packets, are controlled via two different CLI settings, as shown below:
config system global set traffic-priority-level {high|medium|low}
end
config system tos-based-priority edit 1 set tos [0-15] -> type of service bit in the IP datagram header with a value between 0 and 15
set priority (high|medium|low)-> priority of this type of service
next
end
Each priority level is mapped to a value as follows:
ToS priority | Value |
High | 0 |
Medium | 1 |
Low | 2 |
Firewall shaping policy priority
In a firewall shaping policy, you can enable traffic shaping. In the shared traffic shaper, you can set the firewall priority to high, medium, or low, as shown below:
config firewall shaper traffic-shaper edit “1” set priority (high|medium|low)
next
end
Since the priority in a traffic shaper is set to high by default, you must set some traffic at a lower priority to see results. Each priority level is mapped to a value as follows:
Firewall policy priority | Value |
High (default) | 1 |
Medium | 2 |
Low | 3 |
Combination of two priority types
To combine the two priority types, the global or ingress ToS-based priority value is combined with the firewall policy priority value:
ToS priority (0, 1, 2) + policy priority (1, 2, 3) = total priority (queue number)
Consider the following scenarios:
- If the current packet rate is less than the guaranteed bandwidth, packets use priority queue 0. Packet priority is 0. l If the current packet rate exceeds the maximum bandwidth, excess packets are dropped.
- If the current packet rate is greater than the guaranteed bandwidth but less than the maximum bandwidth, FortiOS assigns a priority queue by adding the ToS-based priority and the firewall priority. For example, if you have enabled traffic shaping in the security policy and the security policy’s traffic priority is low (value 3), and the priority normally applied to packets with that ToS bit is medium (value 1), the packets have a total packet priority of 4, and use priority queue 4.
Interface-based traffic shaping profile
Priority Queues
After packet acceptance, FortiGate classifies traffic and might apply Quality of Service (QoS) techniques, such as prioritization and traffic shaping. Traffic shaping consists of a mixture of traffic policing to enforce bandwidth limits and priority queue adjustment to assist packets in achieving the guaranteed rate.
If you have configured prioritization, the FortiGate unit prioritizes egressing packets by distributing them among FIFO (first in, first out) queues associated with each possible priority number. Each physical interface has six priority queues. Virtual interfaces use the priority queues of the physical interface to which they are bound.
Each physical interface’s six queues are queue 0 to queue 5, where queue 0 is the highest priority queue. However, you might observe that your traffic uses only a subset of those six queues. For example, some traffic might always use a certain queue number. Queuing may also vary by the packet rate or mixture of services. Some queue numbers might only be used by through traffic for which you have configured traffic shaping in the security policy that applies to that traffic session.
- Administrative access traffic will always use queue 0.
- Traffic matching firewall policies without traffic shaping may use queue 0, queue 1, or queue 2. The queue is selected based on the priority value you have configured for packets with that ToS (Type of Service) bit value, if you have configured ToS-based priorities.
- Traffic matching firewall shaping policy with traffic shaper enabled may use any queue. The queue is selected based on whether the packet rate is currently below the guaranteed bandwidth (queue 0), or above the guaranteed bandwidth. Packets at rates greater than the maximum bandwidth limit are dropped.
- For Example, if the global ToS-based-priority is low (3) and the priority in a traffic-shaper is medium (2), when a packet flows through a policy that refers to the shaper, the packet will be assigned the priority defined by the shaper. In this case, medium (2).
Types of priority
Packets can be assigned a priority in one of three types:
- On entering ingress – for packets flowing through the firewall.
- Upon generation – for packets generated by the firewall (including packets generated due to AV proxying).
- On passing through a firewall policy – for packets passing through a firewall policy(firewall shaping policy) that has a traffic shaper defined.
Type of Service (ToS) priority
The first and second types (ingress priority and priority for generated packets) are controlled via two different CLI settings:
config system global set traffic-priority-level {high|medium|low}
end And
config system tos-based-priority edit 1 set tos [0-15] -> type of service bit in the IP datagram header with a value between 0 and 15
set priority (high|medium|low)-> priority of this type of service
next
end
Each priority level is mapped to a value like following:
ToS Priority | Value |
High | 0 |
Medium | 1 |
Low | 2 |
Firewall shaping policy priority
In a firewall shaping policy, you can enable traffic shaping. In the shared traffic shaper, you can set the firewall priority to high, medium, or low:
config firewall shaper traffic-shaper edit “1” set priority (high|medium|low)
next
end
Since priority in traffic shaper are set to “high” priority by default, it is necessary to set some traffic at a lower priority to get results. Each priority level is mapped to a value like following:
Firewall Policy Priority | Value |
High (default) | 1 |
Medium | 2 |
Low | 3 |
Combination priority
The global or ingress ToS-based priority value is combined with the firewall policy priority value:
Tos priority (0, 1, 2) + policy priority (1, 2, 3) = total priority (queue number) Let’s take a look at some scenarios:
Case 1: If the current packet rate is less than the guaranteed bandwidth, packets use priority queue 0. In other words, packet priority = 0.
Case 2:If the current packet rate exceeds the maximum bandwidth, excess packets are dropped.
Case 3:If the current packet rate is greater than the guaranteed bandwidth, but less than maximum bandwidth, the FortiGate unit assigns a priority queue by adding the ToS-based priority and the firewall priority.
For example, if you have enabled Traffic Shaping in the security policy, and the security policy’s Traffic Priority is Low (value 3), and the priority normally applied to packets with that ToS bit is medium (value 1), then packets have a total packet priority of 4, and use priority queue 4.
Good topic, thanks