Traffic shaping methods
In FortiOS, there are three types of traffic shaping configurations. Each has a specific function, and all can be used together in varying configurations. Policy shaping enables you to define the maximum bandwidth and the guaranteed bandwidth set for a security policy. Per-IP shaping enables you to define traffic control on a more granular level. Application traffic shaping goes further, enabling traffic controls on specific applications or application groupings.
This chapter describes the types of traffic shapers and how to configure them in the web-based manager and the CLI.
To configure traffic shaping in the web-based manager, you must enable theĀ Traffic Shaping feature under System > Feature Select.
Traffic shaping options
When configuring traffic shaping for your network, there are three different methods to control the flow of network traffic to ensure that the desired traffic gets through while also limiting bandwidth for less important or bandwidth consuming traffic. The three methods are the following:
- Shared policy shaping – bandwidth management by security policies
- Per–IP shaping – bandwidth management by user IP addresses
- Application control shaping – bandwidth management by application
Shapers allow you to define how traffic will flow by setting the traffic priority, bandwidth and DSCP options. Shared policy shapers and Per-IP shapers are created under Policy & Objects > Traffic Shapers.
Traffic Shapers are then enabled within the traffic shaping policy, under Policy & Objects > Traffic Shaping Policy. Application control shaping can be applied to any traffic shaping policy, under Policy & Objects > Traffic Shaping Policy. You can control traffic by application category, application, and/or URL category.
To apply application control shaping, you must first enable application control at the policy level, under Policy & Objects > IPv4 Policy.
Traffic shaping policies allow you to apply traffic shaping measures to any traffic matching your criteria. The criteria must specify a source, a destination, a service, and the outgoing interface. Also, at least one type of shaper must be enabled to create a traffic shaping policy.
The three different traffic shaping options offered by the FortiGate unit can be enabled at the same time within a single traffic shaping policy. Generally, the hierarchy for traffic shapers in FortiOS is:
- Application control shaper
- Shared policy shaper
- er-IP shaper
Within this hierarchy, if an application control list has a traffic shaper defined, it will always have precedence over any other policy shaper. For example, the Facebook application control example shown in Application control shaping on page 2485 will supersede any security policy enabled traffic shapers. While the Facebook application may reach its maximum bandwidth, the user can still have the bandwidth room available from the Shared Shaper and, if enabled, the Per-IP shaper.
Equally, any security policy shared shaper will have precedence over any per-IP shaper. However, traffic that exceeds any of these shapers will be dropped. For example, the policy shaper will take effect first, however, if the per-IP shaper limit is reached first, then traffic for that user will be dropped even if the shared shaper limit for the policy has not been exceeded.