Application control shaping

Application control shaping

Traffic shaping is also possible for specific applications, too. Application control shaping works in conjunction with a Shared Shaper or Per-IP Shaper. You must create a shaper with the bandwidth settings you would like to enforce or edit one of the predefined shapers in the Policy & Objects > Traffic Shapers menu.

Traffic shaping policies allow you to enable these shapers and configure application control options. In the traffic shaping policy, you can set an Application Category, Application, and URL Category. You must also specify which security policies to apply your shaper to by setting the Matching Criteria.You can create a traffic shaping policy in the Policy & Objects > Traffic Shaping Policy section.

For application control shaping to work, application control must be enabled in a security policy, through Policy & Objects > IPv4 Policy or Policy & Objects > IPv6 Policy under Security Profiles.

Also, application control shaping will only affect applications that are set to pass in the Security Profiles > Application Control menu.

For more information on application control, see the FortiOS Chapter 22 – Security Profiles Guide.

 

Example

This example sets the traffic shaping definition for Facebook to a medium priority, a default traffic shaper.

 

To add traffic shaping for Facebook – web-based manager:

1. Go to Policy & Objects > IPv4 Policy to create a general Internet access security policy.

2. Select the Create New “Plus” icon in the upper right corner of the screen to create a new security policy (or edit an existing Internet access policy).

3. Set the following to enable application control within a security policy:

Name                                         <Enter a descriptive name.>

Incoming Interface                     Internal

Source address                          All

Outgoing interface                     wan1

Destination address                 all

Schedule                                     Always

Service                                         Any

Action                                          Accept

Application Control                   Under Security Profiles, enable Application Control and select the default application control profile.

4. Select OK.

5. Go to Policy & Objects > Traffic Shaping Policy and the Create New “Plus” icon to create a new traffic shaping policy.

6. To apply your traffic shaping policy to the security policy you created earlier set the Matching Criteria to the following:

Source                                              all

Destination address                      all

Service                                              ALL

Application Category                     Social.Media

Application                                      Facebook

URL Category                                  Social Networking

7. Under Apply shaper, set the following:

Outgoing interface                            any

(The outgoing interface should match the outgoing interface of the security policy you wish to apply shaping to.)

Shared Shaper                           Enable Shared Shaper and select mediumpriority from the drop down menu.

Reverse Shaper                          Enable Shared Shaper and select mediumpriority from the drop down menu.

Enable this policy                     Enable this policy.

8. Select OK.

9. On the policy list page, move the facebook traffic shaping policy to the top of the list by clicking on the far left column to drag and drop it.

 

To create a traffic shaping policy for Facebook – CLI:

config firewall shaping-policy

edit 1 <shaping policy ID number>

set srcaddr all set dstaddr all set service ALL

set application 15832

set app-category 23 <Social.Media>

set url-category 37 <Social Networking> set dstintf wan1 <outgoing interface> set traffic-shaper medium-priority

set reverse-traffic-shaper medium-priority end

Per-IP shaping

PerIP shaping

Traffic shaping by IP enables you to apply traffic shaping to all source IP addresses in the security policy. As well as controlling the maximum bandwidth users of a selected policy, you can also define the maximum number of concurrent sessions.

Per-IP traffic shaping enables you limit the behavior of every member of a policy to avoid one user from using all the available bandwidth – it now is shared within a group equally. Using a per-IP shaper avoids having to create multiple policies for every user you want to apply a shaper. Per-IP traffic shaping is not supported over NP2 interfaces.

 

PerIP traffic shaping configuration settings

To configure per-IP traffic shaping go to Policy & Objects > Traffic Shapers > Per-IP and select the CreatNew “Plus” sign.

Type                                            Select PerIP.

Name                                           Enter a name for the per-IP traffic shaper.

Maximum Bandwidth                The maximum bandwidth instructs the security policy what the largest amount of traffic allowed using the policy. Depending on the service or the users included for the security policy, this number can provide a larger or smaller throughput depending on the priority you set for the shaper.

Maximum Concurrent Con- nections

Setting Maximum Bandwidth to 0 (zero) provides unlimited bandwidth.

Enter the maximum allowed concurrent connection.
Forward DSCP Reverse DSCP

Enter the number for the DSCP value. You can use the FortiGate Dif- ferentiated Services feature to change the DSCP (Differentiated Services Code Point) value for all packets accepted by a policy. The network can use these DSCP values to classify, mark, shape, and police traffic, and to per- form intelligent queuing. DSCP features are applied to traffic by configuring the routers on your network to apply different service levels to packets depending on the DSCP value of the packet. For more information, see Traffic shaping methods.

 

Example

The following steps create a Per-IP traffic shaper called “Accounting” with a maximum traffic amount of 720,000 Kb/s, and the number of concurrent sessions of 200.

 

To create the shared shaper – web-based manager:

1. Go to Policy & Objects > Traffic Shapers and select the Create New “Plus” Icon.

2. Set the Type to PerIP.

3. Enter the Name Accounting.

4. Enable the Maximum Bandwidth and enter the value 720000.

5. Enable the Maximum Concurrent Sessions and enter the value 200.

6. Select OK.

 

To create the shared shaper – CLI:

config firewall shaper per-ip-shaper edit Accounting

set max100-bandwidth 720000

set max-concurrent-session 200 end

 

Adding a Per-IP traffic shaper to a traffic shaping policy

Per-IP traffic shaping is supported by IPv6 security policies. You can add any Per-IP traffic shaper to an IPv6 security policy in the CLI.

 

Example

The following steps show you how to add an existing Per-IP traffic shaper to an IPv6 security policy. Make sure that you have already created a Per-IP traffic shaper under Policy & Objects > Traffic Shapers.

 

To add a Per-IP traffic shaper to an IPv6 security policy – web-based manager:

1. Go to Policy & Objects > IPv6 Policy and click the Create New “Plus” icon to create an internet access policy.

2. Set the following:

 

Name                                            Enter a descriptive name.

Incoming Interface                        Internal

Source address                              All

Outgoing interface                        wan1

Destination address                     all

Schedule                                         Always

Service                                            Any

Action                                              Accept

3. Select OK.

4. Go to Policy & Objects > Traffic Shaping Policy and the Create New “Plus” icon to create a new traffic shaping policy.

5. To apply your traffic shaping policy to the security policy you created earlier set the Matching Criteria to the following:

Source                                                 all

Destination address                         all

Service                                                ALL

Application Category                        

Application                                         

URL Category                                     

6. Under Apply shaper, set the following:

 

Outgoing interface                            any

(The outgoing interface should match the outgoing interface of the security policy you wish to apply shaping to.)

Shared Shaper                           

Reverse Shaper                          

PerIP Shaper                             Enable PerIP Shaper and select your shaper from the dropdown menu.

Enable this policy                     Enable this policy.

7. Select OK.

8. On the policy list page, move the Per-IP Shaper to the top of the list by clicking on the far left column to drag and drop it.

There are two methods to configure traffic shaping in the CLI. You can add a Per-IP shaper directly to an IPv6 security policy, or you can add a Per-IP shaper to a traffic shaping policy. The second method will allow you to apply traffic shaping based on the interface and can therefore affect multiple security policies easily. The first method requires that you enable traffic shaping individually in ALL policies using the same two interfaces.

 

To add a Per-IP traffic shaper to an IPv6 security policy- CLI:

config firewall policy6

edit <security policy ID number>

set per-ip-shaper <per IP shaper name>

end

 

To add a Per-IP traffic shaper to an IPv6 traffic shaping policy -CLI:

config firewall shaping-policy

edit 1 <security policy ID number>

set ip-version 6

set srcaddr <source address>

set dstaddr <destination address>

set service <service name>

set dstintf <outgoing interface>

set per-ip-shaper <per IP shaper name>

end

Shared policy shaping

Shared policy shaping

Traffic shaping by security policy enables you to control the maximum and/or guaranteed throughput for any security policies specified in the Traffic Shaping Policy.

When configuring a shaper, you can select to apply the bandwidth shaping per policy or for all policies. Depending on your selection, the FortiGate unit will apply the shaping rules differently.

By default shared shapers apply shaping evenly to all policies using it. For Per policy and All policies using this shaper options to appear in the web-based interface, you must first enable it in the CLI. Go to Policy & Objects > Traffic Shapers and right-click on the shaper to edit it in the CLI. Enter:

set per-policy enable end

 

Per policy

When selecting a shared shaper to be per policy, the FortiGate unit will apply the shaping rules defined to each security policy individually.

For example, if a shaper is set to per policy with a maximum bandwidth of 1000 Kb/s and applied to four security policies, each policy has the same maximum bandwidth of 1000 Kb/s.

Per policy traffic shaping is compatible with client/server (active-passive) transparent mode WAN optimization rules. Traffic shaping is ignored for peer-to-peer WAN optimization and for client/server WAN optimization not operating in transparent mode.

 

For all policies using a shaper

When selecting a shared shaper to be for all policies –All Policies using this shaper – the FortiGate unit applies the shaping rules to all policies using the same shaper. For example, the shaper is set to be per policy with a maximum bandwidth of 1000 Kb/s. There are four security policies monitoring traffic through the FortiGate unit. All four have the shaper enabled. Each security policy must share the defined 1000 Kb/s, and is set on a first come, first served basis. For example, if policy 1 uses 800 Kb/s, the remaining three must share 200 Kb/s. As policy 1 uses less bandwidth, it is opened up to the other policies to use as required. Once used, any other policies will encounter latency until free bandwidth opens from a policy currently in use.

 

Maximum and guaranteed bandwidth

The maximum bandwidth instructs the security policy what the largest amount of traffic allowed using the policy. Depending on the service or the users included for the security policy, this number can provide a larger or smaller throughput depending on the priority you set for the shaper.

The Maximum Bandwidth can be set to a value of between 1 and 16776000 kbit/s. The Web-Based Manager gives an error if any value outside of this range is used, but in the CLI a value of 0 can be entered. Setting maximum-bandwidth to 0 (zero) prevents any traffic from going through the policy.

The guaranteed bandwidth ensures there is a consistent reserved bandwidth available for a given service or user. When setting the guaranteed bandwidth, ensure that the value is significantly less than the bandwidth capacity of the interface, otherwise no other traffic will pass through the interface or very little an potentially causing unwanted latency.

 

Traffic priority

Select a Traffic Priority of high, medium or low, so the FortiGate unit manages the relative priorities of different types of traffic. For example, a policy for connecting to a secure web server that needed to support e-commerce traffic should be assigned a high traffic priority. Less important services should be assigned a low priority. The firewall provides bandwidth to low-priority connections only when bandwidth is not needed for high-priority connections.

Be sure to enable traffic shaping on all security policies. If you do not apply any traffic shaping rule to a policy, the policy is set to high priority by default. Distribute security policies over all three priority queues.

 

Traffic shaping policy order

The traffic shaping policies must also be placed in the correct order in the traffic shaping policy list page to get the desired results. It is necessary to arrange your traffic shaping policies into a sequence that places your more granular policies above general internet access policies. For example, you would place any policies with application control shaping at the top of the traffic shaping policy list. More general traffic shaping policies with shared policy shapers and/or Per-IP shapers would follow.

The policy list page is located under Policy & Objects > Traffic Shaping Policy. You can change the order of your policies by selecting the far left column to move the policy up or down. Make sure that the Seq.# column is shown on your menu to easily verify a policy’s position in the sequence.

The following example illustrates how to order your policies. The high priority VoIP traffic shaping policy is placed at the top of the list, followed by restrictive policies to control streaming media, and your general internet access policy is placed last.

 

Traffic Shaping Policy Configuration Settings

To configure a traffic shaping policy go to Policy & Objects > Traffic Shaping Policy and select the Create New “Plus” sign to create a new traffic shaping policy.

Set the “Matching Criteria” to the default options shown below or specify the criteria so that it matches a specific security policy.

Source                                        *all (default)

Destination                                *all (default)

Service                                       *ALL (default)

Application Category               Choose an application category to apply shaping to a specific category of applications. For example, P2P, Social.Media,or VoIP.

Application                                Choose an application to specify which applications you wish to apply traffic shaping to. For example, YouTube, Vimeo, or Facebook.

URL Category                            Choose a URL category to block a subset of applications. For example, potentially liable websites, security risks, or bandwidth consuming services.

Set Apply shaper to the following:

Outgoing Interface                   *any (Set this to the external interface you wish to apply shaping to. For example, wan1 is often used.)

Shared Shaper

Choose one of the default shared shapers: guarantee-100kbps, high-pri- ority, medium-priority, low-priority, shared-1M-pipe or create your own under Policy & Objects > Traffic Shapers. Shared Shapers share the alloted bandwidth with any security policies using them (unless they are set to per- policy in the CLI). This affects uploads or outbound traffic.

Reverse Shaper                         Choose one of the default shared shapers: guarantee-100kbps, high-pri- ority, medium-priority, low-priority, shared-1M-pipe, or create your own under Policy & Objects > Traffic Shapers. This affects downloads or inbound traffic.

PerIP Shaper

Enable a Per-IP Shaper if you want to apply shaping by bandwidth man- agement by user IP addresses. Shapers are created under Policy & Objects > Traffic Shapers. Per-IP shapers affect downloads and uploads.

Enable this policy                     Policies are enabled by default, but if you wish to disable a traffic shaping policy de-select it here.

 

To create the traffic shaping policy – CLI:

config firewall shaping-policy edit <shaping policy ID>

set srcaddr <source address>

set dstaddr <destination address> set service <service name> application <application name>

app-category <application category ID list>

url-category <URL category ID list> dstintf <destination interface list> traffic-shaper <shared shaper name>

traffic-shaper-reverse <reverse traffic shaper name>

per-ip-shaper <per IP shaper name>

end

 

VLAN, VDOM and virtual interfaces

Policy-based traffic shaping does not use queues directly. It shapes the traffic and if the packet is allowed by the security policy, then a priority is assigned. That priority controls what queue the packet will be put in upon egress. VLANs, VDOMs, aggregate ports and other virtual devices do not have queues and as such, traffic is sent directly to the underlying physical device where it is queued and affected by the physical ports. This is also the case with IPsec connections.

 

Shared traffic shaper configuration settings

To configure a shared traffic shaper go to Policy & Objects > Traffic Shapers and select the Create New “Plus” sign to create a new traffic shaper.

Type                                            Select Shared.

Name                                           Enter a name for the traffic shaper.

Apply Shaper                             When selecting a shaper to be Per Policy, the FortiGate unit will apply the shaping rules defined to each security policy individually. For example, if a shaper is set to per policy, with a maximum bandwidth of 1000 Kb/s, any security policies that have that shaper enabled will get 1000 Kb/s of band- width each.

When selecting a shaper to be for all policies – For All Policies Using This Shaper – the FortiGate unit applies the shaping rules to all policies using the same shaper. For example, the shaper is set to be per policy with a maximum bandwidth of 1000 Kb/s. There are four security policies mon- itoring traffic through the FortiGate unit. All four have the shaper enabled. Each security policy must share the defined 1000 Kb/s, and is set on a first come, first served basis. For example, if policy 1 uses 800 Kb/s, the remain- ing three must share 200 Kb/s. As policy 1 uses less bandwidth, that open bandwidth becomes available to the other policies to use as required. Once used, any other policies will encounter latency until free bandwidth opens from a policy currently in use.

 

Traffic Priority

Select level of importance Priority so the FortiGate unit manages the rel- ative priorities of different types of traffic. For example, a policy for con- necting to a secure web server needed to support e-commerce traffic should be assigned a high traffic priority. Less important services should be assigned a low priority.

If you do not apply any traffic shaping priority, the priority is set to high pri- ority by default.

Maximum Bandwidth                The maximum bandwidth instructs the security policy what the largest amount of traffic allowed using the policy. Depending on the service or the users included for the security policy, this number can provide a larger or smaller throughput depending on the priority you set for the shaper.

Setting Maximum Bandwidth to 0 (zero) provides unlimited bandwidth.

 

Guaranteed Bandwidth

The guaranteed bandwidth ensures that a consistent reserved bandwidth is available for a given service or user. Ensure that you set the bandwidth to a value that is significantly less than the bandwidth capacity of the interface. Otherwise little to no traffic will pass through the interface and potentially cause unwanted latency.

Setting Guaranteed Bandwidth to 0 (zero) provides unlimited bandwidth.

DSCP                                          Enter the number for the DSCP value. You can use the FortiGate Dif- ferentiated Services feature to change the DSCP (Differentiated Services Code Point) value for all packets accepted by a policy. The network can use these DSCP values to classify, mark, shape, and police traffic, and to per- form intelligent queuing. DSCP features are applied to traffic by configuring the routers on your network to apply different service levels to packets depending on the DSCP value of the packet. For more information, see Traffic shaping methods.

 

Shared Shaper Per Policy Example

The following steps creates a Per Policy traffic shaper called “Throughput” with a maximum traffic amount of 720,000 Kb/s, and a guaranteed traffic of 150,000 Kb/s with a high traffic priority.

 

To create the shared shaper – web-based manager:

1. Go to Policy & Objects > Traffic Shapers and select the Create New “Plus” sign.

2. Set the Type to Shared.

3. Enter the Name Throughput.

4. Set the Apply shaper field to Per Policy.

 

By default shared shapers apply shaping evenly to all policies using it. For Per policy and All policies using this shaper options to appear in the web-based interface, you must first enable it in the CLI. Go to Policy & Objects > Traffic Shapers and right-click on the shaper to edit it in the CLI. Enter:

set per-policy enable end

5. Set the Traffic Priority to High.

6. Select the Maximum Bandwidth check box and enter the value 150000.

7. Select the Guaranteed Bandwidth check box and enter the value 120000.

8. Select OK.

 

To create the shared shaper – CLI:

config firewall shaper traffic-shaper edit Throughput

set per-policy enable

set maximum-bandwidth 150000

set guaranteed-bandwidth 120000 set priority high

end

Traffic shaping methods

Traffic shaping methods

In FortiOS, there are three types of traffic shaping configurations. Each has a specific function, and all can be used together in varying configurations. Policy shaping enables you to define the maximum bandwidth and the guaranteed bandwidth set for a security policy. Per-IP shaping enables you to define traffic control on a more granular level. Application traffic shaping goes further, enabling traffic controls on specific applications or application groupings.

This chapter describes the types of traffic shapers and how to configure them in the web-based manager and the CLI.

To configure traffic shaping in the web-based manager, you must enable the Traffic Shaping feature under System > Feature Select.

 

Traffic shaping options

When configuring traffic shaping for your network, there are three different methods to control the flow of network traffic to ensure that the desired traffic gets through while also limiting bandwidth for less important or bandwidth consuming traffic. The three methods are the following:

  • Shared policy shaping – bandwidth management by security policies
  • PerIP shaping – bandwidth management by user IP addresses
  • Application control shaping – bandwidth management by application

Shapers allow you to define how traffic will flow by setting the traffic priority, bandwidth and DSCP options. Shared policy shapers and Per-IP shapers are created under Policy & Objects > Traffic Shapers.

Traffic Shapers are then enabled within the traffic shaping policy, under Policy & Objects > Traffic Shaping Policy. Application control shaping can be applied to any traffic shaping policy, under Policy & Objects > Traffic Shaping Policy. You can control traffic by application category, application, and/or URL category.

To apply application control shaping, you must first enable application control at the policy level, under Policy & Objects > IPv4 Policy.

Traffic shaping policies allow you to apply traffic shaping measures to any traffic matching your criteria. The criteria must specify a source, a destination, a service, and the outgoing interface. Also, at least one type of shaper must be enabled to create a traffic shaping policy.

The three different traffic shaping options offered by the FortiGate unit can be enabled at the same time within a single traffic shaping policy. Generally, the hierarchy for traffic shapers in FortiOS is:

  • Application control shaper
  • Shared policy shaper
  • er-IP shaper

Within this hierarchy, if an application control list has a traffic shaper defined, it will always have precedence over any other policy shaper. For example, the Facebook application control example shown in Application control shaping on page 2485 will supersede any security policy enabled traffic shapers. While the Facebook application may reach its maximum bandwidth, the user can still have the bandwidth room available from the Shared Shaper and, if enabled, the Per-IP shaper.

Equally, any security policy shared shaper will have precedence over any per-IP shaper. However, traffic that exceeds any of these shapers will be dropped. For example, the policy shaper will take effect first, however, if the per-IP shaper limit is reached first, then traffic for that user will be dropped even if the shared shaper limit for the policy has not been exceeded.

Calculation and regulation of packet rates

Calculation and regulation of packet rates

Packet rates specified for Maximum Bandwidth or Guaranteed Bandwidth are:

rate = amount / time

where rate is expressed in kilobits per second (Kb/s).

Burst size at any given instant cannot exceed the amount configured in Maximum Bandwidth. Packets in excess are dropped. Packets deduct from the amount of bandwidth available to subsequent packets and available bandwidth regenerates at a fixed rate. As a result, bandwidth available to a given packet may be less than the configured rate, down to a minimum of 0 Kb/s.

 

Rate calculation and behavior can alternatively be described using the token bucket metaphor, where:

  • A traffic flow has an associated bucket, which represents burst size bounds, and is the size of your configured bandwidth limit.
  • The bucket receives tokens, which represent available bandwidth, at the fixed configured rate.
  • As time passes, tokens are added to the bucket, up to the capacity of the bucket; excess tokens are discarded.
  • When a packet arrives, the packet must deduct bandwidth tokens from the bucket equal to its packet size in order to egress.
  • Packets cannot egress if there are insufficient tokens to pay for its egress; these nonconforming packets are dropped.

Bursts are not redistributed over a longer interval, so bursts are propagated rather than smoothed, although their peak size is limited.

Maximum burst size is the capacity of the bucket (the configured bandwidth limit); actual size varies by the current number of tokens in the bucket, which may be less than bucket capacity, due to deductions from previous packets and the fixed rate at which tokens accumulate. A depleted bucket refills at the rate of your configured bandwidth limit. Bursts cannot borrow tokens from other time intervals. This behavior is illustrated in the graph below.

 

Bursts and bandwidth limits over time

By limiting traffic peaks and token regeneration in this way, the available bandwidth at any given moment may be less than bucket capacity, but your limit on the total amount per time interval is ensured. Total bandwidth use during each interval of 1 second is at most the integral of your configured rate.

You may observe that external clients, such as FTP or BitTorrent clients, initially report rates between Maximum Bandwidth and twice that of Maximum Bandwidth, depending on the size of their initial burst. This is notably so when a connection is initiated following a period of no network activity.The apparent discrepancy in rates is caused by a difference in perspective when delimiting time intervals. A burst from the client may initially consume all tokens in the bucket, and before the end of 1 second, as the bucket regenerates, be allowed to consume almost another bucket’s worth of bandwidth. From the perspective of the client, this constitutes one time interval. From the perspective of the FortiGate unit, however, the bucket cannot accumulate tokens while full; therefore, the time interval for token regeneration begins after the initial burst, and does not contain the burst. These different points of reference result in an initial discrepancy equal to the size of the burst — the client’s rate contains it, but the FortiGate unit’s rate does not. If the connection is sustained to its limit and time progresses over an increasing number of intervals, however, this discrepancy decreases in importance relative to the bandwidth total, and the client’s reported rate will eventually approach that of the FortiGate unit’s configured rate limit.

For example, your Maximum Bandwidth might be 50 Kb/s and there has been no network activity for one or more seconds. The bucket is full. A burst from an FTP client immediately consumes 50 Kb. Because the bucket completely regenerates over 1 second, by the time almost another 1 second has elapsed from the initial burst, traffic can consume another 49.999 Kb, for a total of 99.999 Kb between the two points in time. From the vantage point of an external FTP client regulated by this bandwidth limit, it therefore initially appears that the bandwidth limit is 99.999 Kb/s, almost twice the configured limit of 50 Kb/s. However, bucket capacity only regenerates at your configured rate of 50 Kb/s, and so the connection can only consume a maximum of 50 Kb during each second thereafter. The result is that as bandwidth consumption is averaged over an increasing number of time intervals, each of which are limited to 50 Kb/s, the effects of the first interval’s doubled bandwidth size diminishes proportionately, and the client’s reported rate eventually approaches your configured rate limit. The effects are shown in the table below.

 

Effects of a 50 Kb/s limit on client reported rates

 

Total size transferred (Kb) Time (s) Rate reported by client (Kb/s)
 

99.999 (50 + 49.999)

 

1

 

99.999

 

149.999

 

2

 

74.999

 

199.999

 

3

 

66.666

 

249.999

 

4

 

62.499

 

299.999

 

5

 

59.998

 

349.999

 

6

 

58.333

 

 

 

Guaranteed Bandwidth can also be described using a token bucket metaphor. However, because this feature attempts to achieve or exceed a rate rather than limit it, the FortiGate unit does not discard non-conforming packets, as it does for Maximum Bandwidth; instead, when the flow does not achieve the rate, the FortiGate unit increases the packets’ priority queue, in an effort to increase the rate.

Guaranteed and maximum bandwidth rates apply to the bidirectional total for all sessions controlled by the security policy. For example, an FTP connection may entail two separate connections for the data and control portion of the session; some packets may be reply traffic rather than initiating traffic. All packets for both connections are counted when calculating the packet rate for comparison with the guaranteed and maximum bandwidth rate.

 

Important considerations

By implementing QoS, you trade some performance and/or stability from traffic X by discarding packets or introducing latency in order to improve performance and stability of traffic Y. The best traffic shaping configuration for your network will balance the needs of each traffic flow by considering not only the needs of your particular organization, but also the resiliency and other characteristics of each particular service.

For example, you may find that web browsing traffic is both more resistant to interruptions or latency and less business critical than UDP or VoIP traffic, and so you might implement less restrictive QoS measures on UDP or VoIP traffic than on HTTP traffic.

An appropriate QoS configuration will also take into account the physical limits of your network devices, and the interactions of the aforementioned QoS mechanisms, described in Bandwidth guarantee, limit, and priority interactions on page 2468.

You may choose to configure QoS differently based upon the hardware limits of your network and FortiGate unit. Traffic shaping may be less beneficial in extremely high-volume situations where traffic exceeds a network interface’s or your FortiGate model’s overall physical capacity. A FortiGate unit must have enough resources, such as memory and processing power, to process all traffic it receives, and to process it at the required rate; if it does not have this capacity, then dropped packets and increased latency are likely to occur. For example, if the total amount of memory available for queuing on a physical interface is frequently exceeded by your network’s typical packet rates, frames and packets must be dropped. In such a situation, you might choose to implement QoS using a higher model FortiGate unit, or to configure an incoming bandwidth limit on each interface.

Incorrect traffic shaping configurations can actually further degrade certain network flows, because excessive discarding of packets or increased latency beyond points that can be gracefully handled by that protocol can create additional overhead at upper layers of the network, which may be attempting to recover from these errors. For example, a configuration might be too restrictive on the bandwidth accepted by an interface, and may therefore drop too many packets, resulting in the inability to complete or maintain a SIP call.

To optimize traffic shaping performance, first ensure that the network interface’s Ethernet statistics are clean of errors, collisions, or buffer overruns. To check the interface, enter the following diagnose command to see the traffic statistics:

diagnose hardware deviceinfo nic <port_name>

 

If these are not clean, adjust FortiGate unit and settings of routers or other network devices that are connected to the FortiGate unit. For more information, see Troubleshooting traffic shaping on page 2509.

Once Ethernet statistics are clean, you may want to use only some of the available FortiGate QoS techniques, or configure them differently, based upon the nature of FortiGate QoS mechanisms described in Bandwidth guarantee, limit, and priority interactions on page 2468.

 

Configuration considerations include:

  • For maximum bandwidth limits, ensuring that bandwidth limits at the source interface and/or the security policy are not too low, which can cause the FortiGate unit to discard an excessive number of packets.
  • For prioritization, considering the ratios of how packets are distributed between available queues, and which queue is used by which types of services. If you assign most packets to the same priority queue, it negates the effects of configuring prioritization. If you assign many high bandwidth services to high priority queues, lower priority queues may be starved for bandwidth and experience increased or indefinite latency. For example, you may want to prioritize a latency-sensitive service such as SIP over a bandwidth-intensive service such as FTP. Consider also that bandwidth guarantees can affect the queue distribution, assigning packets to queue 0 instead of their typical queue in high-volume situations.
  • You may or may not want to guarantee bandwidth, because it causes the FortiGate unit to assign packets to queue
    • if the guaranteed packet rate is not currently being met. Comparing queuing behavior for lower-bandwidth and higher-bandwidth situations, this would mean that effects of prioritization only become visible as traffic volumes rise and exceed their guarantees. Because of this, you might want only some services to use bandwidth guarantees, to avoid the possibility that in high-volume situations all traffic uses the same queue, thereby negating the effects of configuring prioritization.
  • For prioritization, configure prioritization for all through traffic. You may want to configure prioritization by either ToS-based priority or security policy priority, but not both. This simplifies analysis and troubleshooting.

Traffic subject to both security policy and ToS-based priorities will use a combined priority from both of those parts of the configuration, while traffic subject to only one of the prioritization methods will use only that priority. If you configure both methods, or if you configure either method for only a subset of your traffic, packets for which a combined priority applies will frequently receive a lower priority queue than packets for which you have only configured one priority method, or for which you have not configured prioritization.

For example, if both ToS-based priority and security policy priority both dictate that a packet should receive a “medium” priority, in the absence of bandwidth guarantees, a packet will use queue 3, while if only ToS-based priority had been configured, the packet would have used queue 1, and if only security policy-based priority had been configured, the packet would have used queue 2. If no prioritization had been configured at all, the packet would have used queue 0.

 

FortiGate traffic

FortiGate traffic

Security Policies do not apply to Administrative access to the FortiGate through HTTPS or SSH, or IPsec tunnel negotiations, and therefore FortiGate units do not apply traffic shaping. Such traffic also uses the highest priority queue, queue 0. In other words:

packet priority = 0

Exceptions to this rule include traffic types that are connections related to a session governed by a security policy. For example, if you have enabled scanning by FortiGuard antivirus, traffic from the sender technically terminates at the FortiGate proxy that scans that traffic type; the FortiGate unit initiates a second connection that transmits scanned content to its destination. Because the second connection’s traffic is technically originating from the FortiGate proxy and therefore the FortiGate unit itself, it uses the highest priority queue, queue 0. However, this connection is logically associated with through traffic, and is therefore subject to possible bandwidth enforcement and guarantees in its governing security policy. In this way, it behaves partly like other through traffic.

 

Through traffic

For traffic passing through the FortiGate unit, the method a FortiGate unit uses to determine the priority queue varies by whether Traffic Shaping is enabled or not. Packets may or may not use a priority queue directly or indirectly derived from the type of service (ToS) bit — sometimes used instead with differentiated services — in the packet’s IP header.

If Traffic Shaping is not applied to a security policy, the FortiGate unit neither limits nor guarantees bandwidth, and traffic for that session uses the priority queue determined directly by matching the ToS bit in its header with your configured values:

 

config system global

set traffic-priority tos

set traffic-priority-level {high | low | medium}

end

 

or, if you have configured a priority specifically for that ToS bit value:

 

config system tos-based-priority edit <id_int>

set tos [0-15]

set priority {high | low | medium}

end

 

where tos is the value of the ToS bit in the packcet’s IP header, and high has a priority value of 0 and low is 2. Priority values configured in the second location will override the global ToS-based priority. In other words:

 

packet priority = ToS-based priority

 

For example, you might specify that packets with a ToS bit value of 2 should use queue 0, the highest priority queue:

 

config system tos-based-priority edit 15

set tos 2

set priority high next

end

 

If traffic shaping is applied to a security policy using a shared shaper, the FortiGate unit may subject packets to traffic policing or priority queue increases in an effort to meet bandwidth guarantees configured in the shaper.

 

For example, you might create a Shared Shaper, where high has a priority value of 1 and low is 3, and <rate> is the bandwidth limit in kilobits per second:

config firewall shaper traffic-shaper edit <shaper_name>

set priority {high | medium | low}

set maximum-bandwidth <rate>

set guaranteed-bandwidth <rate>

end

 

Note that it is also necessary to create a traffic shaping policy and set it to use the shared shaper:

config firewall shaping-policy edit <policy ID>

set srcaddr <source address>

set dstaddr <destination address>

set service <service name>

set dstintf <destination interface list>

set traffic-shaper <shaper_name>

end

 

The diagram below illustrates traffic queuing as the packet rate increases.

 

 

Traffic queuing as the packet rate increases

  • If the current packet rate is less than Guaranteed Bandwidth, packets use priority queue 0:

packet priority = 0

  • If the current packet rate is greater than Guaranteed Bandwidth but less than Maximum Bandwidth, the FortiGate unit assigns a priority queue by adding the numerical value of the security policy-based priority, where the value of High is 1, and Low is 3, with the numerical value of the ToS-based priority, where high has a priority value of 0 and low is 2. Because the two values are added, depending on the configured ToS-based priorities, packets in this category could use queues from queue 1 to queue 5. In other words:

packet priority = ToS-based priority + security policy-based priority

  • If you have enabled Traffic Shaping in the security policy, and the security policy’s Traffic Priority is Low (value 3), and the priority normally applied to packets with that ToS bit is medium (value 1), then packets have a total packet priority of 4, and use priority queue 4.
  • If the current packet rate exceeds Maximum Bandwidth, excess packets are dropped.

Bandwidth guarantee, limit, and priority interactions

Bandwidth guarantee, limit, and priority interactions

After packet acceptance, the FortiGate unit classifies traffic and may apply traffic policing at additional points during processing. It may also apply QoS techniques, such as prioritization and traffic shaping. Traffic shaping consists of a mixture of traffic policing to enforce bandwidth limits, and priority queue adjustment to assist packets in achieving the guaranteed rate.

If you have configured prioritization, the FortiGate unit prioritizes egressing packets by distributing them among FIFO (first in, first out) queues associated with each possible priority number. Each physical interface has six priority queues. Virtual interfaces do not have their own queues, and instead use the priority queues of the physical interface to which they are bound.

Each physical interface’s six queues are queue 0 to queue 5, where queue 0 is the highest priority queue. However, for the reasons described below, you may observe that your traffic uses only a subset of those six queues. Some traffic may always use a certain queue number. Some queuing may vary by the packet rate or mixture of services. Some queue numbers may be used only by through traffic for which you have configured traffic shaping in the security policy that applies to that traffic session. For example:

  • Administrative access traffic will always use queue 0.
  • Traffic matching security policies without traffic shaping may use queue 0, queue 1, or queue 2. Which queue will be used depends on the priority value you have configured for packets with that ToS (type of service) bit value, if you have configured ToS-based priorities.
  • Traffic matching security policies with traffic shaping may use any queue. Which queue will be used depends on whether the packet rate is currently below the guaranteed bandwidth (queue 0), or above the guaranteed bandwidth. Packets at rates greater than the maximum bandwidth limit are dropped.
  • If the global tos-based-priority is low (3), the priority in a traffic-shaper is medium (2) and a packet flows though a policy that refers to the shaper, the packet will be assigned the priority defined by the shaper, in this case medium (2).

Prioritization and traffic shaping behavior varies by your configuration, the service types and traffic volumes, and by whether the traffic is through traffic, or the traffic originates from or terminates at the FortiGate unit itself.

Traffic policing

Traffic policing

The FortiGate unit begins to process traffic as it arrives (ingress) and departs (egress) on an interface. In later phases of the network processing, such as enforcing maximum bandwidth use on sessions handled by a security policy, if the current rate for the destination interface or traffic regulated by that security policy is too high, the FortiGate unit may drop the packet. Time spent on prior processing, such as web filtering, decryption or IPS, is often wasted on packets that are not forwarded. This applies to VLAN interfaces and physical interfaces.

You can prevent this wasted effort on ingress by configuring the FortiGate unit to preemptively drop excess packets when they are received at the source interface, before most other traffic processing is performed:

config system interface edit <interface_name>

set inbandwidth <rate_int>

next end

where <rate_int> is the bandwidth limit in Kb/s. Excess packets will be dropped. If inbandwidth is 0, the rate is not limited.

A similar command is available that can be performed on egress as well using the CLI commands:

config system interface edit <interface_name>

set outbandwidth <rate_int>

next end

 

As with ingress, setting the rate to 0 (zero) sets the rate to unlimited.

Rate limiting traffic accepted by the interface enables you to restrict incoming traffic to rates that, while no longer the full capacity of the interface, at the traffic shaping point in the processing are more likely to result in acceptable rates of outgoing traffic per destination interface or all security policies. This conserves FortiGate processing resources for those packets that are more likely to be viable completely to the point of egress.

Excessive traffic policing can degrade network performance rather than improve it. For more details on factors that affect traffic policing, see Important considerations on page 2473.