Shared policy shaping

Shared policy shaping

Traffic shaping by security policy enables you to control the maximum and/or guaranteed throughput for any security policies specified in the Traffic Shaping Policy.

When configuring a shaper, you can select to apply the bandwidth shaping per policy or for all policies. Depending on your selection, the FortiGate unit will apply the shaping rules differently.

By default shared shapers apply shaping evenly to all policies using it. For Per policy and All policies using this shaper options to appear in the web-based interface, you must first enable it in the CLI. Go to Policy & Objects > Traffic Shapers and right-click on the shaper to edit it in the CLI. Enter:

set per-policy enable end

 

Per policy

When selecting a shared shaper to be per policy, the FortiGate unit will apply the shaping rules defined to each security policy individually.

For example, if a shaper is set to per policy with a maximum bandwidth of 1000 Kb/s and applied to four security policies, each policy has the same maximum bandwidth of 1000 Kb/s.

Per policy traffic shaping is compatible with client/server (active-passive) transparent mode WAN optimization rules. Traffic shaping is ignored for peer-to-peer WAN optimization and for client/server WAN optimization not operating in transparent mode.

 

For all policies using a shaper

When selecting a shared shaper to be for all policies –All Policies using this shaper – the FortiGate unit applies the shaping rules to all policies using the same shaper. For example, the shaper is set to be per policy with a maximum bandwidth of 1000 Kb/s. There are four security policies monitoring traffic through the FortiGate unit. All four have the shaper enabled. Each security policy must share the defined 1000 Kb/s, and is set on a first come, first served basis. For example, if policy 1 uses 800 Kb/s, the remaining three must share 200 Kb/s. As policy 1 uses less bandwidth, it is opened up to the other policies to use as required. Once used, any other policies will encounter latency until free bandwidth opens from a policy currently in use.

 

Maximum and guaranteed bandwidth

The maximum bandwidth instructs the security policy what the largest amount of traffic allowed using the policy. Depending on the service or the users included for the security policy, this number can provide a larger or smaller throughput depending on the priority you set for the shaper.

The Maximum Bandwidth can be set to a value of between 1 and 16776000 kbit/s. The Web-Based Manager gives an error if any value outside of this range is used, but in the CLI a value of 0 can be entered. Setting maximum-bandwidth to 0 (zero) prevents any traffic from going through the policy.

The guaranteed bandwidth ensures there is a consistent reserved bandwidth available for a given service or user. When setting the guaranteed bandwidth, ensure that the value is significantly less than the bandwidth capacity of the interface, otherwise no other traffic will pass through the interface or very little an potentially causing unwanted latency.

 

Traffic priority

Select a Traffic Priority of high, medium or low, so the FortiGate unit manages the relative priorities of different types of traffic. For example, a policy for connecting to a secure web server that needed to support e-commerce traffic should be assigned a high traffic priority. Less important services should be assigned a low priority. The firewall provides bandwidth to low-priority connections only when bandwidth is not needed for high-priority connections.

Be sure to enable traffic shaping on all security policies. If you do not apply any traffic shaping rule to a policy, the policy is set to high priority by default. Distribute security policies over all three priority queues.

 

Traffic shaping policy order

The traffic shaping policies must also be placed in the correct order in the traffic shaping policy list page to get the desired results. It is necessary to arrange your traffic shaping policies into a sequence that places your more granular policies above general internet access policies. For example, you would place any policies with application control shaping at the top of the traffic shaping policy list. More general traffic shaping policies with shared policy shapers and/or Per-IP shapers would follow.

The policy list page is located under Policy & Objects > Traffic Shaping Policy. You can change the order of your policies by selecting the far left column to move the policy up or down. Make sure that the Seq.# column is shown on your menu to easily verify a policy’s position in the sequence.

The following example illustrates how to order your policies. The high priority VoIP traffic shaping policy is placed at the top of the list, followed by restrictive policies to control streaming media, and your general internet access policy is placed last.

 

Traffic Shaping Policy Configuration Settings

To configure a traffic shaping policy go to Policy & Objects > Traffic Shaping Policy and select the Create New “Plus” sign to create a new traffic shaping policy.

Set the “Matching Criteria” to the default options shown below or specify the criteria so that it matches a specific security policy.

Source                                        *all (default)

Destination                                *all (default)

Service                                       *ALL (default)

Application Category               Choose an application category to apply shaping to a specific category of applications. For example, P2P, Social.Media,or VoIP.

Application                                Choose an application to specify which applications you wish to apply traffic shaping to. For example, YouTube, Vimeo, or Facebook.

URL Category                            Choose a URL category to block a subset of applications. For example, potentially liable websites, security risks, or bandwidth consuming services.

Set Apply shaper to the following:

Outgoing Interface                   *any (Set this to the external interface you wish to apply shaping to. For example, wan1 is often used.)

Shared Shaper

Choose one of the default shared shapers: guarantee-100kbps, high-pri- ority, medium-priority, low-priority, shared-1M-pipe or create your own under Policy & Objects > Traffic Shapers. Shared Shapers share the alloted bandwidth with any security policies using them (unless they are set to per- policy in the CLI). This affects uploads or outbound traffic.

Reverse Shaper                         Choose one of the default shared shapers: guarantee-100kbps, high-pri- ority, medium-priority, low-priority, shared-1M-pipe, or create your own under Policy & Objects > Traffic Shapers. This affects downloads or inbound traffic.

PerIP Shaper

Enable a Per-IP Shaper if you want to apply shaping by bandwidth man- agement by user IP addresses. Shapers are created under Policy & Objects > Traffic Shapers. Per-IP shapers affect downloads and uploads.

Enable this policy                     Policies are enabled by default, but if you wish to disable a traffic shaping policy de-select it here.

 

To create the traffic shaping policy – CLI:

config firewall shaping-policy edit <shaping policy ID>

set srcaddr <source address>

set dstaddr <destination address> set service <service name> application <application name>

app-category <application category ID list>

url-category <URL category ID list> dstintf <destination interface list> traffic-shaper <shared shaper name>

traffic-shaper-reverse <reverse traffic shaper name>

per-ip-shaper <per IP shaper name>

end

 

VLAN, VDOM and virtual interfaces

Policy-based traffic shaping does not use queues directly. It shapes the traffic and if the packet is allowed by the security policy, then a priority is assigned. That priority controls what queue the packet will be put in upon egress. VLANs, VDOMs, aggregate ports and other virtual devices do not have queues and as such, traffic is sent directly to the underlying physical device where it is queued and affected by the physical ports. This is also the case with IPsec connections.

 

Shared traffic shaper configuration settings

To configure a shared traffic shaper go to Policy & Objects > Traffic Shapers and select the Create New “Plus” sign to create a new traffic shaper.

Type                                            Select Shared.

Name                                           Enter a name for the traffic shaper.

Apply Shaper                             When selecting a shaper to be Per Policy, the FortiGate unit will apply the shaping rules defined to each security policy individually. For example, if a shaper is set to per policy, with a maximum bandwidth of 1000 Kb/s, any security policies that have that shaper enabled will get 1000 Kb/s of band- width each.

When selecting a shaper to be for all policies – For All Policies Using This Shaper – the FortiGate unit applies the shaping rules to all policies using the same shaper. For example, the shaper is set to be per policy with a maximum bandwidth of 1000 Kb/s. There are four security policies mon- itoring traffic through the FortiGate unit. All four have the shaper enabled. Each security policy must share the defined 1000 Kb/s, and is set on a first come, first served basis. For example, if policy 1 uses 800 Kb/s, the remain- ing three must share 200 Kb/s. As policy 1 uses less bandwidth, that open bandwidth becomes available to the other policies to use as required. Once used, any other policies will encounter latency until free bandwidth opens from a policy currently in use.

 

Traffic Priority

Select level of importance Priority so the FortiGate unit manages the rel- ative priorities of different types of traffic. For example, a policy for con- necting to a secure web server needed to support e-commerce traffic should be assigned a high traffic priority. Less important services should be assigned a low priority.

If you do not apply any traffic shaping priority, the priority is set to high pri- ority by default.

Maximum Bandwidth                The maximum bandwidth instructs the security policy what the largest amount of traffic allowed using the policy. Depending on the service or the users included for the security policy, this number can provide a larger or smaller throughput depending on the priority you set for the shaper.

Setting Maximum Bandwidth to 0 (zero) provides unlimited bandwidth.

 

Guaranteed Bandwidth

The guaranteed bandwidth ensures that a consistent reserved bandwidth is available for a given service or user. Ensure that you set the bandwidth to a value that is significantly less than the bandwidth capacity of the interface. Otherwise little to no traffic will pass through the interface and potentially cause unwanted latency.

Setting Guaranteed Bandwidth to 0 (zero) provides unlimited bandwidth.

DSCP                                          Enter the number for the DSCP value. You can use the FortiGate Dif- ferentiated Services feature to change the DSCP (Differentiated Services Code Point) value for all packets accepted by a policy. The network can use these DSCP values to classify, mark, shape, and police traffic, and to per- form intelligent queuing. DSCP features are applied to traffic by configuring the routers on your network to apply different service levels to packets depending on the DSCP value of the packet. For more information, see Traffic shaping methods.

 

Shared Shaper Per Policy Example

The following steps creates a Per Policy traffic shaper called “Throughput” with a maximum traffic amount of 720,000 Kb/s, and a guaranteed traffic of 150,000 Kb/s with a high traffic priority.

 

To create the shared shaper – web-based manager:

1. Go to Policy & Objects > Traffic Shapers and select the Create New “Plus” sign.

2. Set the Type to Shared.

3. Enter the Name Throughput.

4. Set the Apply shaper field to Per Policy.

 

By default shared shapers apply shaping evenly to all policies using it. For Per policy and All policies using this shaper options to appear in the web-based interface, you must first enable it in the CLI. Go to Policy & Objects > Traffic Shapers and right-click on the shaper to edit it in the CLI. Enter:

set per-policy enable end

5. Set the Traffic Priority to High.

6. Select the Maximum Bandwidth check box and enter the value 150000.

7. Select the Guaranteed Bandwidth check box and enter the value 120000.

8. Select OK.

 

To create the shared shaper – CLI:

config firewall shaper traffic-shaper edit Throughput

set per-policy enable

set maximum-bandwidth 150000

set guaranteed-bandwidth 120000 set priority high

end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.