Troubleshooting traffic shaping

Troubleshooting traffic shaping

This chapter outlines some troubleshooting tips and steps to diagnose the shapers and whether they are working correctly. These diagnose commands include:

  • diagnose system tos-based-priority
  • diagnose firewall shaper traffic-shaper
  • diagnose firewall per-ip-shaper
  • diagnose debug flow

 

Interface diagnosis

To optimize traffic shaping performance, first ensure that the network interface’s Ethernet statistics are clean of errors, collisions, or buffer overruns. To check the interface, enter the following diagnose command to see the traffic statistics:

diagnose hardware deviceinfo nic <port_name>

 

Shaper diagnose commands

There are specific diagnose commands you can use to verify the configuration and flow of traffic, including packet loss due to the employed shaper.

All of these diagnose troubleshooting commands are supported in both IPv4 and IPv6.

 

ToS command

Use the following command to list command to view information of the ToS lists and traffic.

diagnose system tos-based-priority

This example displays the priority value currently correlated with each possible ToS bit value. Priority values are displayed in order of their corresponding ToS bit values, which can range between 0 and 15, from lowest ToS bit value to highest.

For example, if you have not configured ToS-based priorities, the following appears…

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

…reflecting that all packets are currently using the same default priority, high (value 0).

If you have configured a ToS-based priority of low (value 2) for packets with a ToS bit value of 3, the following appears…

0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0

…reflecting that most packets are using the default priority value, except those with a ToS bit value of 3.

 

Shared shaper

To view information for the shared traffic shaper for security policies enter the command

diagnose firewall shaper traffic-shaper list

The resultant output displays the information on all available shapers. The more shapers available the longer the list. For example:

name Throughput

maximum-bandwidth 1200000 Kb/sec guaranteed-bandwidth 50000 Kb/sec current-bandwidth 0 B/sec

priority 1

packets dropped 0

Additional commands include:

diagnose firewall shaper traffic-shaper state – provides the total number of traffic shapers on the FortiGate unit.

diagnose firewall shaper traffic-shaper stats – provides summary statistics on the shapers.

Sample output looks like the following:

shapers 9 ipv4 0 ipv6 0 drops 0

 

PerIP shaper

To view information for the per-IP shaper for security policies enter the command

diagnose firewall shaper per-ip-shaper list

The resultant output displays the information on all available per-IP shapers. The more shapers available the longer the list. For example:

name accounting_group

maximum-bandwidth 200000 Kb/sec maximum-concurrent-session 55 packet dropped 0

 

Additional commands include:

diagnose firewall shaper per-ip-shaper state – provides the total number of per-ip shapers on the FortiGate unit.

diagnose firewall shaper per-ip-shaper stats – provides summary statistics on the shapers.

Sample output looks like the following:

memory allocated 3 packet dropped: 0

 

You can also clear the per-ip statistical data to begin a fresh diagnoses using:

diagnose firewall shaper per-ip-shaper clear

 

Packet loss with statistics on shapers

For each shaper there are counters that allow to verify if packets have been discarded. To view this information, in the CLI, enter the command diagnose firewall shaper. The results will look similar to the following output:

diagnose firewall shaper traffic-shaper list name limit_GB_25_MB_50_LQ

maximum-bandwidth 50 Kb/sec guaranteed-bandwidth 25 Kb/sec current-bandwidth 51 Kb/sec priority 3 dropped 1291985

The diagnose command output is different if the shapers are configured either per-policy or shared between policies.

 

For per-IP the output would be:

diagnose firewall shaper per-ip-shaper list

name accounting_group

maximum-bandwidth 200000 Kb/sec maximum-concurrent-session 55 packet dropped 3264220

 

Packet lost with the debug flow

When using the debug flow diagnostic command, there is a specific message information that a packet has exceed the shaper limits and therefor discarded:

 

diagnose debug flow show console enable diagnose debug flow filter addr 10.143.0.5 diagnose debug flow trace start 1000

id=20085 trace_id=11 msg=”vd-root received a packet(proto=17, 10.141.0.11:3735-

>10.143.0.5:5001) from port5.”

id=20085 trace_id=11 msg=”Find an existing session, id-0000eabc, original direction” id=20085 trace_id=11 msg=”exceeded shaper limit, drop”

 

Session list details with dual traffic shaper

When a Security Policy has a different traffic shaper for each direction, it is reflected in the session list output from the CLI:

diagnose system session list

session info: proto=6 proto_state=02 expire=115 timeout=3600 flags=00000000 sock flag=00000000 sockport=0 av_idx=0 use=4

origin-shaper=Limit_25Mbps prio=1 guarantee 25600/sec max 204800/sec traffic 48/sec reply-shaper=Limit_100Mbps prio=1 guarantee 102400/sec max 204800/sec traffic 0/sec ha_id=0 hakey=44020

policy_dir=0 tunnel=/

state=may_dirty rem os rs

statistic(bits/packets/allow_err): org=96/2/1 reply=0/0/0 tuples=2

orgin->sink: org pre->post, reply pre->post dev=2->3/3->2 gwy=10.160.0.1/0.0.0.0 hook=pre dir=org act=dnat 192.168.171.243:2538->192.168.182.110:80(10.160.0.1:80) hook=post dir=reply act=snat 10.160.0.1:80->192.168.171.243:2538(192.168.182.110:80) pos/(before,after) 0/(0,0), 0/(0,0)

misc=0 policy_id=2 auth_info=0 chk_client_info=0 vd=0 serial=00011e81 tos=ff/ff app=0 dd_type=0 dd_rule_id=0

 

Additional Information

  • Packets discarded by the shaper impact flow-control mechanisms like TCP. For more accurate testing results prefer UDP protocol.
  • Traffic shaping accuracy is optimum for security policies without a protection profile where no FortiGate content inspection is processed.
  • Do not oversubscribe an outbandwith throughput. For example, sum[guaranteed BW] < outbandwith. For accuracy in bandwidth calculation, it is required to set the “outbandwidth” parameter on the interfaces. For more information see Bandwidth guarantee, limit, and priority interactions on page 2468.
  • The FortiGate unit is not prioritizing traffic based on the DSCP marking configured in the security policy. However, ToS based prioritizing can be made at ingress. For more information see Traffic shaping methods on page 2476.

QoS using priority from ToS or differentiated services

QoS using priority from ToS or differentiated services

Configurations implementing QoS using the priority values defined in either global or specific ToS bit values are not capable of applying bandwidth limits and guarantees, but are capable of prioritizing traffic at per-packet levels, rather than uniformly to all services matched by the security policy.

In addition to configuring traffic prioritization, you may also choose to limit bandwidth being received by each interface. This can sometimes be useful in scenarios where you want to limit traffic levels, but do not want to configure traffic shaping within a security policy. This has the benefit of policing traffic at a point before the FortiGate unit performs most processing.

Note that if you implement QoS using ToS octet rather than security policies, the FortiGate unit applies QoS on a packet by packet basis, and priorities may be different for packets and services controlled by the same security policy. This is more granular control than prioritization by security policies, but has the drawbacks that quality of service is may not be uniform for multiple services controlled by the same security policy, packets will only use up to three of the six possible queues (queue 0 to queue 2), and bandwidth cannot be guaranteed. Other devices in your network must also be able to set or preserve ToS bits.

In this example, we limit the bandwidth accepted by each source interface, and then configure prioritized queuing on the destination interface based upon the value of the ToS bit located in the IP header of each accepted packet.

To limit bandwidth accepted by an interface, in the CLI, enter the following commands:

config system interface edit <name_str>

set inbandwidth <rate_int>

next end

where <rate_int> is the bandwidth limit in Kb/s. Excess packets will be dropped.

To configure priorities, in the CLI, configure the global priority value using the following commands:

config system global

set tos-based-priority {high | low | medium}

end

where high has a priority value of 0 and low is 2.

If you want to prioritize some ToS bit values differently than the global ToS-based priority, configure the priority for packets with that ToS bit value using the following commands:

config system tos-based-priority edit <id_int>

set tos [0-15]

set priority {high | low | medium}

next end

where and tos is the value of the ToS bit in the packet’s IP header, and high has a priority value of 0 and low is

2. Priority values configured in this location will override the global ToS-based priority.

 

Sample configuration

This sample configuration limits ingressing bandwidth to 500 Kb/s. It also queues egressing traffic based upon the ToS bit in the IP header of ingressing packets.

Unless specified for the packet’s ToS bit value, packets use the low priority queue (queue 2). For ToS bit values 4 and 15, the priorities are specified as medium (value 1) and high (value 0), respectively.

config system interface edit wan1

set inbandwidth 500 next

end

config system global

set tos-based-priority low end

config system tos-based-priority edit 4

set tos 4

set priority medium next

edit 15

set tos 15

set priority high next

end

 

Example setup for VoIP

In this example, there are three traffic shaping requirements for a network:

  • Voice over IP (VoIP) requires a guaranteed, high-priority for bandwidth for telephone communications.
  • FTP bursts must be contained so as not to consume any available bandwidth. As such this traffic needs to be throttled to a smaller amount.
  • A consistent bandwidth requirement is needed for all other email and web-based traffic.

To enable this requirement, you need to create three separate shapers and three traffic shaping policies for each traffic type.

In this example, the values used are not recommended values.

 

Creating the traffic shapers

First create the traffic shapers that define the maximum and guaranteed bandwidth. The shared shapers will be used with some applied per-policy and some applied to all policies, to better control traffic.

 

VoIP shaper

The VoIP functionary is a key component to the business as a communication tool and as such requires a guaranteed bandwidth. This shaper will be a high priority shaper.

 

To create a VoIP shaper – web-based manager:

1. Go to Policy & Objects > Traffic Shapers and select Create New.

2. Set the Type to Shared.

3. Enter the Name voip.

4. Set the Traffic Priority to High.

5. Select Maximum Bandwidth and enter 1000 Kb/s.

6. Select Guaranteed Bandwidth and enter 800 Kb/s.

7. Select OK.

8. Select the HTTP shaper, right-click it, and select Edit in CLI. Type the following command:

set per-policy end

 

To create a VoIP shaper – CLI:

config firewall shaper traffic-shaper edit voip

set maximum-bandwidth 1000 set guaranteed-bandwidth 800 set per-policy enable

set priority high end

Setting the shaper to perpolicy ensures that regardless of the number of policies that use this shaper, the defined bandwidth will always be the same. At the same time, the bandwidth is continually guaranteed at 800 Kb/s but if available can be as much as 1000 Kb/s. Setting the priority to high ensures that the FortiGate unit always considers VoIP traffic the most important.

 

FTP shaper

The FTP shaper sets the maximum bandwidth to use to avoid sudden spikes by sudden uploading or downloading of large files, and interfering with other more important traffic.

 

To create a FTP shaper – web-based manager:

1. Go to Policy & Objects > Traffic Shapers and Create New.

2. Set the Type to Shared.

3. Enter the Name ftp.

4. Set the Traffic Priority to Low.

5. Select Maximum Bandwidth and enter 200 Kb/s

6. Select Guaranteed Bandwidth and enter 200 Kb/s.

7. Select OK.

 

 

To create a FTP shaper – CLI:

config firewall shaper traffic-shaper edit ftp

set maximum-bandwidth 200

set guaranteed-bandwidth 200 set priority low

end

 

For this shaper, the maximum and guaranteed bandwidth are set low and to the same value. In this case, the bandwidth is restricted to a specific amount. Setting the traffic priority low ensures that more important traffic will be able to pass before FTP traffic.

 

Regular traffic shaper

The regular shaper sets the maximum bandwidth and guaranteed bandwidth for everyday business traffic such as web and email traffic.

 

To create a regular shaper – web-based manager:

1. Go to Policy & Objects > Traffic Shapers and Create New.

2. Set the Type to Shared.

3. Enter the Name daily_traffic..

4. Set the Traffic Priority to Medium.

5. Select Maximum Bandwidth and enter 600 Kb/s

6. Select Guaranteed Bandwidth and enter 600 Kb/s.

7. Select OK.

 

To create a regular shaper – CLI:

config firewall shaper traffic-shaper edit daily_traffic

set maximum-bandwidth 600

set guaranteed-bandwidth 600 set per-policy enable

set priority medium end

 

For this shaper, the maximum and guaranteed bandwidth are set to a moderate value of 600 Kb/s. It is also set for per policy, which ensures each security policy for day-to-day business traffic has the same distribution of bandwidth.

 

Creating Traffic Shaping Policies

To employ the shapers,create traffic shaping policies that apply to your existing security policy. Create a separate policy for each service and apply the shaper to the outgoing interface you would like to use. For example, a policy for FTP traffic, a policy for SIP and so on.

For the following steps the VoIP traffic shaper is enabled as well as the reverse direction. This ensures that return traffic for a VoIP call has the same guaranteed bandwidth as the outgoing call. The example below shows how to enable each traffic shaper in a traffic shaping policy.

In this example, the traffic shaping policies will apply shaping to the following security policy:

 

Incoming interface                   lan (Internal interface)

Source address                         All

Outgoing interface                   WAN1

Destination address                 All

Schedule                                    always

Service                                       all

Action                                         ACCEPT

 

To create a VOIP traffic shaping policy- web-based manager:

1. Go to Policy & Objects > Traffic Shaping Policy and select Create New.

2. Now create a traffic shaping policy that matches the settings you entered for your security policy:

Source                                        All

Destination                                All

Service                                       All

Application Category               VoIP

Application                                SIP

URL Category                            Internet Telephony

Outgoing Interface                   wan1

3. Enable Shared Shaper, select the voip shaper created in the previous steps.

4. Enable Reverse Shaper, select the voip shaper created in the previous steps.

5. Select Enable this policy.

6. Select OK.

 

To create a VOIP traffic shaping policy- CLI:

config firewall shaping-policy

edit 1 <shaping policy ID number>

set srcaddr all set dstaddr all set service ALL

set application 34640 <SIP>

set app-category 3 <VoIP>

set url-category 76 <Internet Telephony>

set dstintf wan1 <outgoing interface>

set traffic-shaper voip <high priority custom shaper>

set reverse-traffic-shaper voip <high priority custom shaper>

end

 

To create an FTP traffic shaping policy- web-based manager:

1. Go to Policy & Objects > Traffic Shaping Policy and select Create New.

2. Now create a traffic shaping policy that matches the settings you entered for your security policy:

Source                                        All

Destination                                All

Service                                       FTP

Outgoing Interface                   wan1

3. Enable Shared Shaper, select the FTP shaper created in the previous steps.

4. Enable Reverse Shaper, select the FTP shaper created in the previous steps.

5. Select Enable this policy.

6. Select OK.

 

To create an FTP traffic shaping policy- CLI:

config firewall shaping-policy

edit 2 <shaping policy ID number>

set srcaddr all set dstaddr all set service FTP

set dstintf wan1 <outgoing interface>

set traffic-shaper FTP <low priority custom shaper>

set reverse-traffic-shaper FTP <low priority custom shaper>

end

 

To create a Regular traffic shaping policy- web-based manager:

1. Go to Policy & Objects > Traffic Shaping Policy and select Create New.

2. Now create a traffic shaping policy that matches the settings you entered for your security policy:

Source                                        All

Destination                                All

Service                                       ALL

Outgoing Interface                   wan1

3. Enable Shared Shaper, select the medium-priority shaper.

4. Enable Reverse Shaper, select the medium-priority shaper.

5. Select Enable this policy.

6. Select OK.

 

To create a Regular traffic shaping policy- CLI:

config firewall shaping-policy

edit 3 <shaping policy ID number>

set srcaddr all set dstaddr all set service ALL

set dstintf wan1 <outgoing interface>

set traffic-shaper medium-priority <default shaper>

set reverse-traffic-shaper medium-priority <default shaper>

end

 

To order your traffic shaping policies- CLI:

config firewall shaping-policy move 1 before 2

move 3 below 2 end

Ensure that your high priority SIP/VoIP policy is at the top of the policy list, the low pri- ority FTP shaper comes second, and the medium priority regular-traffic shaper comes last. Restrictive policies should always go above more general access policies.

 

Alternate Method of enabling traffic shaping in the security policy

It is also possible to create three separate security policies for each type of traffic (VoIP, FTP, and regular). You can enable traffic shaping individually within each security policy in the CLI only, like the example shown below:

 

To enable traffic shaping in the security policy – CLI:

config firewall policy edit 6

set srcintf <internal_interface>

set scraddr all set dstintf wan1 set dstaddr all set action accept

set schedule always set service sip

set traffic-shaper voip

set reverse-traffic-shaper voip end

QoS using priority from security policies

QoS using priority from security policies

Configurations implementing QoS using the priority values defined in the security policies are capable of applying bandwidth limits and guarantees.

In addition to configuring traffic shaping, you may also choose to limit the bandwidth accepted by each interface. This can be useful in scenarios where the bandwidth received on source interfaces frequently exceeds the maximum bandwidth limit defined in the security policy. Rather than waste processing power on packets that will get dropped later in the process, you may choose to preemptively police the traffic.

If you decide to implement QoS using security policies rather than ToS bit, the FortiGate unit applies QoS to all packets controlled by the policy. This type of control is less granular than prioritization by ToS bit, but has the benefits of correlating quality of service to a security policy. This correlation enables you to distribute traffic over up to four of the possible 6 priority queues (queue 0 to queue 3), does not require other devices in your network to set or respect the ToS bit, and enables you to configure bandwidth limits and guarantees.

In the following example, we limit the bandwidth accepted by each source interface, limit the bandwidth used by sessions controlled by the security policy, and then configure prioritized queuing on the destination interface based upon the priority in the security policy, subject to alternative assignment to queue 0 when necessary to achieve the guaranteed packet rate.

 

To limit bandwidth accepted by an interface

In the CLI, enter the following commands:

config system interface edit <name_str>

set inbandwidth <rate_int>

next end

 

where <rate_int> is the bandwidth limit in Kb/s. Excess packets will be dropped.

 

To configure bandwidth guarantees, limits, and priorities

1. Go to Policy & Objects > Traffic Shapers and select the Create New “Plus” sign.

2. Select Shared or PerIP.

3. Enter a name for the shaper.

4. Select the Traffic Priority.

High has a priority value of 1, Medium is 2, and Low is 3. While the current packet rate is below Guaranteed

Bandwidth, the FortiGate unit will disregard this setting, and instead use priority queue.

5. Enable Max Bandwidth and enter a value.

Packets greater than this rate will be discarded.

6. Enable Guaranteed Bandwidth and enter a value, if any.

Bandwidth guarantees affect prioritization. While packet rates are less than this rate, they use priority queue 0. If this is not the effect you intend, consider entering a small guaranteed rate, or enter 0 to effectively disable bandwidth guarantees.

7. Enable DSCP and set a value.

8. Select OK.

 

PerIP shapers also include the option to set a maximum number of concurrent con- nections and to set both Forward DSCP and Reverse DSCP.

 

Sample configuration

This sample configuration limits ingressing bandwidth to 500 Kb/s. It also applies separate traffic shapers to FTP and HTTP traffic. In addition to the interface bandwidth limit, HTTP traffic is subject to a security policy bandwidth limit of 200 Kb/s.

All egressing FTP traffic greater than 10 Kb/s is subject to a low priority queue (queue 3), while all egressing HTTP traffic greater than 100 Kb/s is subject to a medium priority queue (queue 2). That is, unless FTP traffic rates are lower than their guaranteed rate, and web traffic rates are greater than their guaranteed rate, FTP traffic is lower priority than web traffic.

Traffic less than these guaranteed bandwidth rates use the highest priority queue (queue 0). Set the inbandwidth limits. This setting is only available in the CLI:

config system interface

edit wan1

set inbandwidth 500 next

end

 

Create traffic shapers for FTP and HTTP.

 

To configure an FTP shaper – web-based manager:

1. Go to Policy & Objects > Traffic Shapers, and select the Create New “Plus” icon.

2. Select Shared.

3. Enter FTP for the name of the shaper.

4. Set Traffic Priority to Low.

5. Select the Guaranteed Bandwidth checkbox and enter 10 Kbps.

6. Select the Maximum Bandwidth checkbox and enter 500 Kbps.

7. Select OK.

8. Select the FTP shaper, right-click it, and select Edit in CLI. Type the following command:

set per-policy end

 

To configure an HTTP shaper – web-based manager:

1. Select the Create New “Plus” icon.

2. Set Type to Shared.

3. Enter HTTP for the name of the shaper.

4. Set Traffic Priority to Medium.

5. Select the Guaranteed Bandwidth checkbox and enter 100 Kbps.

6. Select the Maximum Bandwidth checkbox and enter 200 Kbps.

7. Select OK.

8. Select the HTTP shaper, right-click it, and select Edit in CLI. Type the following command:

set per-policy end

 

To add the FTP shaper to a traffic shaping policy – web-based manager:

1. Go to Policy & Objects > Traffic Shaping Policy and click Create New to create a traffic shaping policy for FTP.

2. Set the Matching Criteria to the following:

Source                                                all

Destination address                        all

Service                                                FTP

3. Under Apply shaper, set the following:

Outgoing interface                            any (The outgoing interface should match the outgoing interface of the security policy you wish to apply shaping to.)

Shared Shaper                           Enable Shared Shaper and select FTP from the dropdown menu.

Reverse Shaper                          Enable Shared Shaper and select FTP from the dropdown menu.

Enable this policy                     Enable this policy.

4. Select OK.

 

To add the HTTP shaper to a traffic shaping policy – web-based manager:

1. Go to Policy & Objects > Traffic Shaping Policyand click Create New to create a traffic shaping policy for HTTP.

2. Set the Matching Criteria to the following:

Source                                                all

Destination address                        all

Service                                                HTTP

3. Under Apply shaper, set the following:

Outgoing interface                            any (The outgoing interface should match the outgoing interface of the security policy you wish to apply shaping to.)

Shared Shaper                           Enable Shared Shaper and select HTTP from the dropdown menu.

Reverse Shaper                          Enable Shared Shaper and select HTTP from the dropdown menu.

Enable this policy                     Enable this policy.

4. Select OK.

5. On the policy list page, move the FTP traffic shaping policy to the top of the list by clicking on the far left column to drag and drop it. The HTTP traffic shaping policy should be below the FTP policy, and more general internet access policies should be at the bottom of the policy list.

 

To configure the FTP and HTTP shapers – CLI:

config firewall shaper traffic-shaper edit FTP

set maximum-bandwidth 500 set guaranteed-bandwidth 10 set per-policy enable

set priority low next

edit HTTP

set maximum-bandwidth 200

set guaranteed-bandwidth 100 set per-policy enable

set priority medium end

 

To add each shaper to a traffic shaping policy- CLI:

config firewall shaping-policy

edit 1 <shaping policy ID number>

set srcaddr all set dstaddr all set service ALL

set dstintf wan1 <outgoing interface>

set traffic-shaper FTP

next

edit 2 <shaping policy ID number>

set srcaddr all set dstaddr all

set service ALL

set dstintf wan1 <outgoing interface>

set traffic-shaper HTTP

next

move 1 before 2 end

Traffic Shaper Monitor

Traffic Shaper Monitor

You can view statistical information about traffic shapers and their bandwidth from FortiView > Traffic Shaping.

Refresh the information on the page.

Table View shows the following columns by default: Shaper, Bytes (Sent/Received), Sessions, Bandwidth, or Dropped Bytes. For more display options, right-click on the column header.

Bubble Chart shows you which resources consume the most bandwidth. Double-click on a shaper to view more details. Determine whether more granular shaping is required by looking at the bandwidth usage by sources, destinations, applications, policies, and sessions.

 

FortiView Settings include the following options:

  • Include Local traffic (Realtime Only)
  • Include Unscanned Applications (Applications View Only)
  • Auto update realtime visualizations
  • Interval (seconds)
  • Threat Weight Settings

 

Examples

While it is possible to configure QoS using a combination of security policies and ToS based priorities, and to distribute traffic over all six of the possible queues for each physical interface, the results of those configurations can be more difficult to analyze due to their complexity. In those cases, prioritization behavior can vary by several factors, including traffic volume, ToS (type of service) or differentiated services markings, and correlation of session to a security policy.

The following simple examples illustrate QoS configurations using either prioritization by security policy, or prioritization by ToS bit, but not both. The examples also assume you are not configuring traffic shaping for interfaces that receive hardware acceleration from network processing units (NPU).

Differentiated Services

Differentiated Services

Differentiated Services describes a set of end-to-end Quality of Service (QoS) capabilities. End-to-end QoS is the ability of a network to deliver service required by specific network traffic from one end of the network to another. By configuring differentiated services, you configure your network to deliver particular levels of service for different packets based on the QoS specified by each packet.

Differentiated Services (also called DiffServ) is defined by RFC 2474 and 2475 as enhancements to IP networking to enable scalable service discrimination in the IP network without the need for per-flow state and signaling at every hop. Routers that can understand differentiated services sort IP traffic into classes by inspecting the DS field in IPv4 header or the Traffic Class field in the IPv6 header.

You can use the FortiGate Differentiated Services feature to change the DSCP (Differentiated Services Code Point) value for all packets accepted by a policy. The network can use these DSCP values to classify, mark, shape, and police traffic, and to perform intelligent queuing. DSCP features are applied to traffic by configuring the routers on your network to apply different service levels to packets depending on the DSCP value of the packet.

If the differentiated services feature is not enabled, the FortiGate unit treats traffic as if the DSCP value is set to the default (00), and will not change IP packets’ DSCP field. DSCP values are also not applied to traffic if the traffic originates from a FortiGate unit itself.

The FortiGate unit applies the DSCP value and IPsec encryption to the differentiated services (formerly ToS) field in the first word of the IP header. The typical first word of an IP header, with the default DSCP value, is 4500:

  • 4 for IPv4
  • 5 for a length of five words
  • 00 for the default DSCP value

You can change the packet’s DSCP field for traffic initiating a session (forward) or for reply traffic (reverse) and enable each direction separately and configure it in the security policy.

Changes to DSCP values in a security policy effect new sessions. If traffic must use the new DSCP values immediately, clear all existing sessions.

DSCP is enabled using the CLI command:

config firewall policy edit <policy_number>

set diffserv-forward enable

set diffservcode-forward <binary_integer>

set diffserv-reverse enable

set diffservcode-rev <binary_integer>

end

For more information on the different DCSP commands, see the examples below and the CLI Reference. If you only set diffserv-forward and diffserv-reverse without setting the corresponding diffvercode values, the FortiGate unit will reset the bits to zero.

For a list of DSCP values and their ToS equivalents see Differentiated Services on page 2491. DSCP values can also be defined within a shared shaper as a single value, and per-IP shaper for forward and reverse directions.

 

N2

 

 

Fo                    In rti                     te Ga                  r

t

2

 

I

t

 

rti

GG

AN

DSCP examples

 

6

 

 

Fo                      Po rti                        r Ga

te

 

 

t                    P

 

iGG

aa

t6

For all the following DSCP examples, the FortiGate and client PC configuration is the following diagram and used firewall-based DSCP configurations.

Example

In this example, an ICMP ping is executed between User 1 and FortiGate B, through a FortiGate unit. DSCP is disabled on FortiGate B, and FortiGate A contains the following configuration:

config firewall policy edit 2

set srcintf port6 set dstintf port3 set src addr all set dstaddr all set action accept

set schedule always set service ANY

set diffserv-forward enable

set diffservcode-forward 101110

end

 

As a result, FortiGate A changes the DSCP field for outgoing traffic, but not to its reply traffic. The binary DSCP values used map to the following hexadecimal

 

ToS field values, which are observable by a sniffer (also known as a packet tracer):

  • DSCP 000000 is TOS field 0x00
  • DSCP 101110 is TOS field 0xb8, the recommended DSCP value for expedited forwarding (EF)

If you performed an ICMP ping between User 1 and User 2, the following output illustrates the IP headers for the request and the reply by sniffers on each of FortiGate unit’s network interfaces. The right-most two digits of each IP header are the ToS field, which contains the DSCP value.

 

 

 

User 1

             

 

User 2

  4500 4500 45b8 45b8 45b8 45b8  
  4500 4500 4500 4500 4500 4500  

Example

In this example, an ICMP ping is executed between User 1 and FortiGate B, through FortiGate A. DSCP is disabled on FortiGate B, and FortiGate A contains the following configuration:

config firewall policy edit 2

set srcintf port6 set dstintf port3 set src addr all set dstaddr all set action accept

set schedule always set service ANY”

set diffserv-forward enable set diffserv-rev enable

set diffservcode-forward 101110 set diffservcode-rev 101111

end

 

As a result, FortiGate A changes the DSCP field for both outgoing traffic and its reply traffic. The binary DSCP values in map to the following hexadecimal ToS field values, which are observable by a sniffer (also known as a packet tracer):

  • DSCP 000000 is TOS field 0x00
  • DSCP 101110 is TOS field 0xb8, the recommended DSCP value for expedited forwarding (EF)
  • DSCP 101111 is TOS field 0xbc

If you performed an ICMP ping between User 1 and User 2, the output below illustrates the IP headers observed for the request and the reply by sniffers on each of FortiGate A’s and FortiGate B’s network interfaces. The right- most two digits of each IP header are the ToS field, which contains the DSCP value.

 

 

User 1

             

User 2

  4500 4500 45b8 45b8 45b8 45b8  
  45bc 45bc 4500 4500 4500 4500  

 

Example

In this example, an ICMP ping is executed between User 1 and FortiGate B, through FortiGate A. DSCP is enabled for both traffic directions on FortiGate A, and enabled only for reply traffic on FortiGate B. FortiGate A contains the following configuration:

config firewall policy edit 2

set srcintf port6 set dstintf port3 set src addr all set dstaddr all set action accept

set schedule always set service ANY

set diffserv-forward enable

set diffserv-rev enable

set diffservcode-forward 101110 set diffservcode-rev 101111

end

 

FortiGate B contains the following configuration:

config firewall policy edit 2

set srcintf wan2

set dstintf internal set src addr all

set dstaddr all set action accept set schedule always set service ANY

set diffserv-rev enable

set diffservcode-rev 101101 end

 

As a result, FortiGate A changes the DSCP field for both outgoing traffic and its reply traffic, and FortiGate B changes the DSCP field only for reply traffic. The binary DSCP values in this configuration map to the following hexadecimal ToS field values:

  • DSCP 000000 is TOS field 0x00
  • DSCP 101101 is TOS field 0xb4
  • DSCP 101110 is TOS field 0xb8, the recommended DSCP value for expedited forwarding (EF)
  • DSCP 101111 is TOS field 0xbc

If you performed an ICMP ping between User 1 and User 2, the output below illustrates the IP headers observed for the request and the reply by sniffers on each of FortiGate A’s and FortiGate B’s network interfaces. The right- most two digits of each IP header are the ToS field, which contains the DSCP value.

 

 

User 1

             

User 2

  4500 4500 45b8 45b8 45b8 45b8  
  45bc 45bc 45b4 45b4 4500 4500  

 

Example

In this example, HTTPS and DNS traffic is sent from User 1 to FortiGate B, through FortiGate A. DSCP is enabled for both traffic directions on FortiGate A, and enabled only for reply traffic on FortiGate B. FortiGate A contains the following configuration:

config firewall policy edit 2

set srcintf port6 set dstintf port3 set src addr all set dstaddr all set action accept

set schedule always set service ANY

set diffserv-forward enable set diffserv-rev enable

set diffservcode-forward 101110 set diffservcode-rev 101111

end

 

FortiGate B contains the following configuration:

config firewall policy edit 2

set srcintf wan2

set dstintf internal set src addr all

set dstaddr all set action accept set schedule always set service ANY

set diffserv-rev enable

set diffservcode-rev 101101 end

As a result, FortiGate A changes the DSCP field for both outgoing traffic and its reply traffic, but FortiGate B changes the DSCP field only for reply traffic which passes through its internal interface. Since the example traffic does not pass through the internal interface, FortiGate B does not mark the packets. The binary DSCP values in this configuration map to the following hexadecimal ToS field values:

  • DSCP 000000 is TOS field 0x00
  • DSCP 101101 is TOS field 0xb4, which is configured on FortiGate B but not observed by the sniffer because the example traffic originates from the FortiGate unit itself, and therefore does not match that security policy.
  • DSCP 101110 is TOS field 0xb8, the recommended DSCP value for expedited forwarding (EF)
  • DSCP 101111 is TOS field 0xbc

If you sent HTTPS or DNS traffic from User 1 to FortiGate B, the following would illustrate the IP headers observed for the request and the reply by sniffers on each of FortiGate A’s and FortiGate B’s network interfaces. The right-most two digits of each IP header are the ToS field, which contains the DSCP value.

User 1                                                                                                                                    User 2

4500           4500                  45b8                                                       45b8

45bc

45bc

4500

4500

 

ToS and DSCP traffic mapping

There are two types of traffic mapping: Type of Service (ToS) or DSCP (Differentiated Services Code Point). Only one method can be used at a time, with ToS set as the default method. You can set the type used and attributes in the CLI.

 

To set ToS or DSCP traffic mapping

config system global

set traffic-priority {tos | dscp}

set traffic-priority-level {low | medium | high }

end

 

Mapping of DSCP and ToS hexadecimal values for QoS

 

Service Class          DSCP Bits               DSCP Value            ToS Value               ToS Hexidecimal
Network Control       111000                       56-63                         224                             0xE0
Internetwork Con-

trol                             110000                       48-55                         192                             0xC0

Critical – Voice

Data (RTP)

 

 

 

Flash Override

Video Data

 

 

 

 

 

 

 

 

Flash Voice Con- trol

 

 

 

 

 

 

 

 

Immediate Deterministic (SNA)

 

 

 

 

 

 

Priority Con- trolled Load

 

 

 

 

 

 

 

 

Routine – Best

Effort

 

101110                       46                               184                             0xB8

 

101000                       40                               160                             0xA0

 

100010                       34                               136                             0x88

 

100100                       36                               144                             0x90

 

100110                       38                               152                             0x98

 

100000                       32                               128                             0x80

 

011010                       26                               104                             0x68

 

011100                       28                               112                             0x70

 

011110                       30                               120                             0x78

 

011000                       24                               96                               0x60

 

010010                       18                               72                               0x48

 

010100                       20                               80                               0x50

 

010110                       22                               88                               0x58

 

010000                       16                               64                               0x40

 

001010                       10                               40                               0x28

 

001100                       12                               48                               0x30

 

001110                       14                               56                               0x38

 

001000                       8                                 32                               0x20

 

000000                       0                                 0                                 0x00

Routine – Penalty

Box                            000010                       2                                 8                                 0x08

Type of Service priority

Type of Service priority

Type of service (ToS) is an 8-bit field in the IP header that enables you to determine how the IP datagram should be delivered, using criteria of Delay, Throughput, Priority, Reliability, and Cost. Each quality helps gateways determine the best way to route datagrams. A router maintains a ToS value for each route in its routing table. The lowest priority ToS is 0; the highest is 7 when bits 3, 4, and 5 are all set to 1. There are other seldom used or reserved bits that are not listed here.

Together these bits are the ToS variable of the tos-based-priority command. The router tries to match the ToS of the datagram to the ToS on one of the possible routes to the destination. If there is no match, the datagram is sent over a zero ToS route. Using increased quality may increase the cost of delivery because better performance may consume limited network resources.

 

Each bit represents the priority as per RFC 1349:

  • 1000 – minimize delay
  • 0100 – maximize throughput
  • 0010 – maximize reliability
  • 0001 – minimize monetary cost

The ToS value is set in the CLI using the commands:

config system tos-based-priority edit <sequence-number>

set tos [0-15]

set priority [high | medium | low]

end

 

Where tos is the value of the type of service bit in the IP datagram header with a value between 0 and 15, and priority is the priority of this type of service priority. These priority levels conform to the firewall traffic shaping priorities, as defined in RFC 1349.

For example, if you want to configure the FortiGate unit so that reliability is the first priority, set the tos value to 4.

config system tos-based-priority edit 1

set tos 4

end

set priority high

 

For a list of ToS values and their DSCP equivalents see Traffic shaping methods on page 2476.

 

Example

config system tos-based-priority edit 1

set tos 1

set priority low next

edit 4

set tos 4

set priority medium next

edit 6

set tos 6

set priority high next

end

 

ToS in FortiOS

Traffic shaping and ToS follow the following sequence:

  • The CLI command tos-based-priority acts as a tos-to-priority mapping. FortiOS maps the ToS to a priority when it receives a packet.
  • Traffic shaping settings adjust the packet’s priority according the traffic.
  • Deliver the packet based on its priority.

 

Traffic Shaping Units of Measurement

Bandwidth speeds are measured in Kilobits per second (Kb/s), and Bytes that are sent/received are measured in megabytes (MB). Occasionally this can cause confusion depending on whether your ISP uses kilobits (kbps), kilobytes (KB), megabits per second (mbps), or gigabits per second (gbps).

 

Download Speeds

  • 1 kilobit per second (kbps) = 8 kilobytes per second (KB/s)
  • 1 megabit per second (mbps) = 1,000,000 bits per second (bps)
  • 1 gigabit per second (gbps) = 1,000 (mbps)

 

File Sizes

  • 1 megabyte (MB) = 1,024 kilobytes (KB)
  • 1 gigabyte (GB) = 1,024 megabytes (MB) or 1,048,576 kilobytes (KB)

 

To change a shaper’s unit of measurement – CLI

config firewall shaper traffic-shaper edit <shaper name>

set bandwidth-unit {kbps | mbps | gbps}

end

Enabling traffic shaping in the security policy

Enabling traffic shaping in the security policy

Historically, FortiOS traffic shapers have always been enabled within a security policy.This is no longer the easiest way to apply shapers, since in FortiOS 5.4 traffic shaping is now configured in the traffic shaping policy section, under Policy & Objects > Traffic Shaping Policy. However, you can still enable traffic shapers within a security policy using CLI commands and it will then appear in the web-based manager afterwards. The shapers always go into effect after any DoS detection policies, and before any routing or packet scanning occurs.

Traffic shaping is also supported for IPv6 policies.

This is not the recommended method, as it is easier to keep track of and order your traffic shaping policies if you configure them within a traffic shaping policy.

 

To enable traffic shaping within a security policy- CLI:

config firewall policy edit <policy number>

set traffic-shaper <shaper name>

set reverse-traffic-shaper <shaper name>

set per-ip-shaper <per IP shaper name>

end

Shared shapers affect outbound traffic heading to a destination. To affect inbound traffic , or downloads, enable the Reverse Shaper, too. For more information, see Reverse direction traffic shaping on page 2487.

Reverse direction traffic shaping

Reverse direction traffic shaping

The shaper you select in the traffic shaping policy (shared shaper) will affect the traffic in the direction defined in the policy. For example, if the source port is lan and the destination is wan1, the shaping affects the flow in this direction only — affecting the upload speed of the outbound traffic. By selecting Shared Traffic Shaper Reverse Direction, you can define the traffic shaper for the policy in the opposite direction to affect the download speed of the inbound traffic. In this example, from wan 1 to lan.

 

To add a reverse shaper

  1. 1. Go to Policy & Objects > Traffic Shaping Policy.
  2. 2. Click Create New or select an existing policy and click Edit.
  3. 3. Set the Matching Criteria to match the interfaces of any security policies you wish to affect.
  4. 4. Navigate to the Apply shaper section, enable the Shared Shaper, and select a shaper from the dropdown menu.
  5. 5. Enable the Reverse Shaper and select a shaper from the dropdown menu.
  6. 6. Select OK.

 

Setting the reverse direction only

There may be instances where you only need traffic shaping for incoming connections, which is in the “reverse” direction of typical traffic shapers.

 

To add a reverse shaper – web-based manager:

1. Go to Policy & Objects > Traffic Shaping Policy.

2. Click Create New or select an existing policy and click Edit.

3. Set the Matching Criteria to match the interfaces of any security policies you wish to affect.

4. Navigate to the Apply shaper section, enable the Reverse Shaper and select a shaper from the dropdown menu.

5. Select OK.

 

To configure a reverse-only shaper in a traffic shaping policy – CLI:

config firewall shaping-policy edit <policy_number>

set reverse-traffic-shaper medium-priority end

 

To configure a reverse-only shaper within a security policy- CLI:

config firewall policy edit <policy_number>

set traffic-shaper-reverse <shaper_name>

end