Quality of Service

Quality of Service

Quality of Service (QoS) is the capability to adjust some quality aspects of your overall network traffic. This can include such techniques as priority-based queuing and traffic policing. Because bandwidth is finite and because some types of traffic are slow, jitter or packet loss sensitive, bandwidth intensive, or operation critical, QoS can be a useful tool for optimizing the performance of the various applications on your network.

Before implementing QoS, organizations should first identify the types of traffic that are important to the organization, the types of traffic that use high amounts of bandwidth, and the types of traffic that are sensitive to latency or packet loss.

For example, a company might want to guarantee sufficient bandwidth for revenue producing e-commerce traffic. They need to ensure that transactions can be completed and that clients do not experience service delays and interruptions. At the same time, the company may need to ensure low latency for voice over IP (VoIP) traffic used by sales and customer support, while traffic latency and bursts may be less critical to the success of other network applications such as long term, resumable file transfers. Many organizations discover that QoS is especially important for managing their voice and streaming multi-media traffic. These types of traffic can rapidly consume bandwidth and are sensitive to latency.

Discovering the needs and relative importance of each traffic type on your network will help you to design an appropriate overall approach, including how you will configure each available QoS component technique. Some organizations discover that they only need to configure bandwidth limits for some services. Other organizations determine that they need to fully configure interface and security policy bandwidth limits for all services, and prioritize queuing of critical services relative to traffic rate.

You can implement QoS on FortiGate units using the following techniques:

Traffic policing                         Drops packets that do not conform to bandwidth limitations.

 

Traffic shaping

Ensures that the traffic may consume bandwidth at least at the guaranteed rate by assigning a greater priority queue if the guarantee is not being met. Also ensures that the traffic cannot consume bandwidth greater than the maximum at any given instance in time. Flows greater than the maximum rate are subject to traffic policing.

Queuing      Transmits packets in order of their assigned priority queue for that physical interface. All traffic in a higher priority traffic queue must be completely transmitted before traffic in lower priority queues will be transmitted.

When deciding how to configure QoS techniques, it can be helpful to know when FortiGate units employ each technique in the overall traffic processing flow, and the considerations that arise from those mechanisms.

The purpose of traffic shaping

The purpose of traffic shaping

Traffic shaping, or traffic management, controls the bandwidth available and sets the priority of traffic processed by the policy to control the volume of traffic for a specific period (bandwidth throttling) or rate the traffic is sent (rate limiting).

Traffic shaping attempts to normalize traffic peaks and bursts to prioritize certain flows over others. But there is a physical limitation to the amount of data which can be buffered and to the length of time. Once these thresholds have been surpassed, frames and packets will be dropped, and sessions will be affected in other ways.

A basic traffic shaping approach is to prioritize certain traffic flows over other traffic whose potential loss is less disadvantageous. This would mean that you accept certain sacrifices in performance and stability on low-priority traffic, to increase or guarantee performance and stability to high-priority traffic.

If, for example, you are applying bandwidth limitations to certain flows, you must accept the fact that these sessions can be limited and therefore negatively impacted.

Note that traffic shaping is effective for normal IP traffic at normal traffic rates. Traffic shaping is not effective during periods when traffic exceeds the capacity of the FortiGate unit. Because packets must be received by the FortiGate unit before they are subject to traffic shaping, if the FortiGate unit cannot process all of the traffic it receives, then dropped packets, delays, and latency are likely to occur.

To ensure that traffic shaping is working at its best, make sure that the interface Ethernet statistics show no errors, collisions or buffer overruns.

Accelerated interfaces (NPx network processors and CE) affect traffic shaping. For more information, see the FortiOS Whats New in Hardware Acceleration for FortiOS 5.4 guide.

Chapter 25 – Traffic Shaping

Chapter 25 – Traffic Shaping

With the ever-increasing demands on network systems for a number of protocols, including email, HTTP traffic both internally and externally to the internet, voice over IP, FTP, and more, slow traffic is becoming a reality. Important traffic may even be dropped or slowed to an unusable speed. Web traffic delays can result in a loss of revenue for businesses.

Traffic shaping attempts to normalize traffic peaks and bursts to prioritize certain flows over others. There is a physical limitation to the amount of data which can be buffered and to the length of time it can be buffered.

FortiGate units provide Quality of Service (QoS) by applying bandwidth limits and prioritization. Using traffic shaping, you can adjust how your FortiGate unit allocates resources to different traffic types to improve performance and stability of latency sensitive or bandwidth intensive network applications.

This chapter describes Quality of Service (QoS), traffic shaping, FortiGate traffic shaping algorithms, and includes configuration procedures for traffic shaping on FortiGate units.

 

This guide contains the following sections:

  • The purpose of traffic shaping describes traffic shaping theories and quality of service.
  • Traffic shaping methods lists different methods of applying traffic shaping within FortiOS, and explains how to use ToS and Differentiated Services.
  • Examples provides basic application scenarios for shapers.
  • Troubleshooting traffic shaping lists diagnose commands to use for determining if traffic shapers are working correctly.

 

 

Whats new in FortiOS 5.4

 

New Traffic Shaper Policy Configuration Method (269943)

Previously, traffic shapers were configured in Policy & Objects > Objects > Traffic Shapers and then applied in security policies under Policy & Objects > Policy > IPv4 . In FortiOS 5.4, traffic shapers are now configured in a new traffic shaping section in Policy & Objects > Traffic Shapers.

The way that traffic shapers are applied to policies has changed significantly in 5.4., because there is now a specific section for traffic shaping policies in Policy & Objects > Traffic Shaping Policy. In the new traffic shaping policies, you must ensure that the Matching Criteria is the same as the security policy or policies you want to apply shaping to. The screen shot below shows the new 5.4 GUI interface:

There is also added Traffic Shaper support based on the following:

  • Source (Address, Local Users, Groups)
  • Destination (Address, FQDN, URL or category)
  • Service (General, Web Access, File Access, Email and Network services, Authentication, Remote Access, Tunneling, VoIP, Messaging and other Applications, Web Proxy)
  • Application
  • Application Category
  • URL Category

 

Creating Application Control Shapers

Application Control Shapers were previously configured in the Security Profiles > Application Control section, but for simplicity they are now consolidated in the same section as the other two types of traffic shapers: Shared and Per-IP.

To create an Application Control Shaper, you must first enable application control at the policy level, in Polic& Objects > Policy > [IPv4 or IPv6]. Then, you can create a matching application-based traffic shaping policy that will apply to it, in the new Traffic Shaping section under Policy & Objects > Traffic Shaping Policy.

 

New attributes added to “firewall shaping-policy” (277030) (275431)

The two new attributes are status and url-category. The status attribute verifies whether the policy is set to enabled or disabled. The url-category attribute applies the shaping-policy to sessions without a URL rating when set to 0, and no web filtering is applied.

 

Syntax:

config firewall shaping-policy edit 1

set status enable

set url-category [category ID number]

 

New button added to “Clone” Shapers

You can now easily create a copy of an existing shaper by selecting the shaper and clicking the Clone button.

Obfuscate HTTP responses

Obfuscate HTTP responses

The FortiGate unit can obfuscate the HTTP responses from the FortiGate admin GUI and SSL VPN servers. By default this option is not enabled. To obfuscate HTTP headers, use the following CLI command:

config system global

set http-obfuscate {none | header-only | modified | no-error}

end

 

Where:

none — do not hide the FortiGate web server identity. header-only — hides the HTTP server banner. modified — provides modified error responses.

no-error — suppresses error responses.

Opening TCP 113

Opening TCP 113

Although seemingly contrary to conventional wisdom of closing ports from hackers, this port, which is used for ident requests, should be opened.

Port 113 initially was used as an authentication port, and later defined as an identification port (see RFC 1413). Some servers may still use this port to help in identifying users or other servers and establish a connection. Because port 113 receives a lot of unsolicited traffic, many routers, including on the FortiGate unit, close this port.

The issue arises in that unsolicited requests are stopped by the FortiGate unit, which will send a response saying that the port is closed. In doing so, it also lets the requesting server know there is a device at the given address, and thus announcing its presence. By enabling traffic on port 113, requests will travel to this port, and will most likely, be ignored and never responded to.

By default, the ident port is closed. To open it, use the following CLI commands:

config system interface edit <port_name>

set ident_accept enable

end

 

You could also further use port forwarding to send the traffic to a non-existent IP address and thus never have a response packet sent.

Rejecting PING requests

Rejecting PING requests

The factory default configuration of your FortiGate unit allows the default external interface to respond to ping requests. Depending on the model of your FortiGate unit the actual name of this interface will vary. For the most secure operation, you should change the configuration of the external interface so that it does not respond to ping requests. Not responding to ping requests makes it more difficult for a potential attacker to detect your FortiGate unit from the Internet. One such potential threat are Denial of Service (DoS) attacks.

A FortiGate unit responds to ping requests if ping administrative access is enabled for that interface.

 

To disable ping administrative access – web-based manager

1. Go to System > Network > Interface.

2. Choose the external interface and select Edit.

3. Clear the Ping Administrative Access check box.

4. Select OK.

In the CLI, when setting the allowaccess settings, by selecting the access types and not including the PING option, that option is then not selected. In this example, only HTTPS is selected.

 

To disable ping administrative access – CLI

config system interface edit external

set allowaccess https

end

CLI Scripts

CLI Scripts

To upload bulk CLI commands and scripts, go to System > Config > Advanced.

Scripts are text files containing CLI command sequences. Scripts can be used to deploy identical configurations to many devices. For example, if all of your devices use identical security policies, you can enter the commands required to create the security policies in a script, and then deploy the script to all the devices which should use those same settings.

Use a text editor such as Notepad or other application that creates simple text files. Enter the commands in sequence, with each line as one command, similar to examples throughout the FortiOS documentation set.

If you are using a FortiGate unit that is not remotely managed by a FortiManager unit or the FortiGuard Analysis and Management Service, the scripts you upload are executed and discarded. If you want to execute a script more than once, you must keep a copy on your management PC.

If your FortiGate unit is configured to use a FortiManager unit, you can upload your scripts to the FortiManager unit, and run them from any FortiGate unit configured to use the FortiManager unit. If you upload a script directly to a FortiGate unit, it is executed and discarded.

If your FortiGate unit is configured to use FortiGuard Analysis and Management Service, scripts you upload are executed and stored. You can run uploaded scripts from any FortiGate unit configured with your FortiGuard Analysis and Management Service account. The uploaded script files appear on the FortiGuard Analysis and Management Service portal web site.

 

Uploading script files

After you have created a script file, you can then upload it through System > Config > Advanced. When a script is uploaded, it is automatically executed.

Commands that require the FortiGate unit to reboot when entered in the command line will also force a reboot if included in a script.

 

To execute a script

1. Go to System > Config > Advanced.

2. Verify that Upload Bulk CLI Command File is selected.

3. Select Browse to locate the script file.

4. Select Apply.

If the FortiGate unit is not configured for remote management, or if it is configured to use a FortiManager unit, uploaded scripts are discarded after execution. Save script files to your management PC if you want to execute them again later.

If the FortiGate unit is configured to use the FortiGuard Analysis and Management Service, the script file is saved to the remote server for later reuse. You can view the script or run it from the FortiGuard Analysis and Management Service portal web site.

Disk

Disk

To view the status and storage information of the local disk on your FortiGate unit, go to System > Config > Advanced. The Disk menu appears only on FortiGate units with an internal hard or flash disk.

 

Formatting the disk

The internal disk of the FortiGate unit (if available) can be formatted by going to System > Config > Advanced and selecting Format.

Formatting the disk will erase all data on it, including databases for antivirus and IPS; logs, quarantine files, and WAN optimization caches. The FortiGate unit requires a reboot once the disk has been formatted.

 

Setting space quotas

If the FortiGate unit has an internal hard or flash disk, you can allocate the space on the disk for specific logging and archiving, and WAN optimization. By default, the space is used on an as required basis. As such, a disk can fill up with basic disk logging, leaving less potential space for quarantine.

By going to System > Config > Advanced, you can select the Edit icon for Logging and Archiving and WAN Optimization & Web Cache and define the amount of space each log, archive and WAN optimization has on the disk.