Tag Archives: fortigate QoS using priority from ToS or differentiated services

QoS using priority from ToS or differentiated services

QoS using priority from ToS or differentiated services

Configurations implementing QoS using the priority values defined in either global or specific ToS bit values are not capable of applying bandwidth limits and guarantees, but are capable of prioritizing traffic at per-packet levels, rather than uniformly to all services matched by the security policy.

In addition to configuring traffic prioritization, you may also choose to limit bandwidth being received by each interface. This can sometimes be useful in scenarios where you want to limit traffic levels, but do not want to configure traffic shaping within a security policy. This has the benefit of policing traffic at a point before the FortiGate unit performs most processing.

Note that if you implement QoS using ToS octet rather than security policies, the FortiGate unit applies QoS on a packet by packet basis, and priorities may be different for packets and services controlled by the same security policy. This is more granular control than prioritization by security policies, but has the drawbacks that quality of service is may not be uniform for multiple services controlled by the same security policy, packets will only use up to three of the six possible queues (queue 0 to queue 2), and bandwidth cannot be guaranteed. Other devices in your network must also be able to set or preserve ToS bits.

In this example, we limit the bandwidth accepted by each source interface, and then configure prioritized queuing on the destination interface based upon the value of the ToS bit located in the IP header of each accepted packet.

To limit bandwidth accepted by an interface, in the CLI, enter the following commands:

config system interface edit <name_str>

set inbandwidth <rate_int>

next end

where <rate_int> is the bandwidth limit in Kb/s. Excess packets will be dropped.

To configure priorities, in the CLI, configure the global priority value using the following commands:

config system global

set tos-based-priority {high | low | medium}

end

where high has a priority value of 0 and low is 2.

If you want to prioritize some ToS bit values differently than the global ToS-based priority, configure the priority for packets with that ToS bit value using the following commands:

config system tos-based-priority edit <id_int>

set tos [0-15]

set priority {high | low | medium}

next end

where and tos is the value of the ToS bit in the packet’s IP header, and high has a priority value of 0 and low is

2. Priority values configured in this location will override the global ToS-based priority.

 

Sample configuration

This sample configuration limits ingressing bandwidth to 500 Kb/s. It also queues egressing traffic based upon the ToS bit in the IP header of ingressing packets.

Unless specified for the packet’s ToS bit value, packets use the low priority queue (queue 2). For ToS bit values 4 and 15, the priorities are specified as medium (value 1) and high (value 0), respectively.

config system interface edit wan1

set inbandwidth 500 next

end

config system global

set tos-based-priority low end

config system tos-based-priority edit 4

set tos 4

set priority medium next

edit 15

set tos 15

set priority high next

end

 

Example setup for VoIP

In this example, there are three traffic shaping requirements for a network:

  • Voice over IP (VoIP) requires a guaranteed, high-priority for bandwidth for telephone communications.
  • FTP bursts must be contained so as not to consume any available bandwidth. As such this traffic needs to be throttled to a smaller amount.
  • A consistent bandwidth requirement is needed for all other email and web-based traffic.

To enable this requirement, you need to create three separate shapers and three traffic shaping policies for each traffic type.

In this example, the values used are not recommended values.

 

Creating the traffic shapers

First create the traffic shapers that define the maximum and guaranteed bandwidth. The shared shapers will be used with some applied per-policy and some applied to all policies, to better control traffic.

 

VoIP shaper

The VoIP functionary is a key component to the business as a communication tool and as such requires a guaranteed bandwidth. This shaper will be a high priority shaper.

 

To create a VoIP shaper – web-based manager:

1. Go to Policy & Objects > Traffic Shapers and select Create New.

2. Set the Type to Shared.

3. Enter the Name voip.

4. Set the Traffic Priority to High.

5. Select Maximum Bandwidth and enter 1000 Kb/s.

6. Select Guaranteed Bandwidth and enter 800 Kb/s.

7. Select OK.

8. Select the HTTP shaper, right-click it, and select Edit in CLI. Type the following command:

set per-policy end

 

To create a VoIP shaper – CLI:

config firewall shaper traffic-shaper edit voip

set maximum-bandwidth 1000 set guaranteed-bandwidth 800 set per-policy enable

set priority high end

Setting the shaper to perpolicy ensures that regardless of the number of policies that use this shaper, the defined bandwidth will always be the same. At the same time, the bandwidth is continually guaranteed at 800 Kb/s but if available can be as much as 1000 Kb/s. Setting the priority to high ensures that the FortiGate unit always considers VoIP traffic the most important.

 

FTP shaper

The FTP shaper sets the maximum bandwidth to use to avoid sudden spikes by sudden uploading or downloading of large files, and interfering with other more important traffic.

 

To create a FTP shaper – web-based manager:

1. Go to Policy & Objects > Traffic Shapers and Create New.

2. Set the Type to Shared.

3. Enter the Name ftp.

4. Set the Traffic Priority to Low.

5. Select Maximum Bandwidth and enter 200 Kb/s

6. Select Guaranteed Bandwidth and enter 200 Kb/s.

7. Select OK.

 

 

To create a FTP shaper – CLI:

config firewall shaper traffic-shaper edit ftp

set maximum-bandwidth 200

set guaranteed-bandwidth 200 set priority low

end

 

For this shaper, the maximum and guaranteed bandwidth are set low and to the same value. In this case, the bandwidth is restricted to a specific amount. Setting the traffic priority low ensures that more important traffic will be able to pass before FTP traffic.

 

Regular traffic shaper

The regular shaper sets the maximum bandwidth and guaranteed bandwidth for everyday business traffic such as web and email traffic.

 

To create a regular shaper – web-based manager:

1. Go to Policy & Objects > Traffic Shapers and Create New.

2. Set the Type to Shared.

3. Enter the Name daily_traffic..

4. Set the Traffic Priority to Medium.

5. Select Maximum Bandwidth and enter 600 Kb/s

6. Select Guaranteed Bandwidth and enter 600 Kb/s.

7. Select OK.

 

To create a regular shaper – CLI:

config firewall shaper traffic-shaper edit daily_traffic

set maximum-bandwidth 600

set guaranteed-bandwidth 600 set per-policy enable

set priority medium end

 

For this shaper, the maximum and guaranteed bandwidth are set to a moderate value of 600 Kb/s. It is also set for per policy, which ensures each security policy for day-to-day business traffic has the same distribution of bandwidth.

 

Creating Traffic Shaping Policies

To employ the shapers,create traffic shaping policies that apply to your existing security policy. Create a separate policy for each service and apply the shaper to the outgoing interface you would like to use. For example, a policy for FTP traffic, a policy for SIP and so on.

For the following steps the VoIP traffic shaper is enabled as well as the reverse direction. This ensures that return traffic for a VoIP call has the same guaranteed bandwidth as the outgoing call. The example below shows how to enable each traffic shaper in a traffic shaping policy.

In this example, the traffic shaping policies will apply shaping to the following security policy:

 

Incoming interface                   lan (Internal interface)

Source address                         All

Outgoing interface                   WAN1

Destination address                 All

Schedule                                    always

Service                                       all

Action                                         ACCEPT

 

To create a VOIP traffic shaping policy- web-based manager:

1. Go to Policy & Objects > Traffic Shaping Policy and select Create New.

2. Now create a traffic shaping policy that matches the settings you entered for your security policy:

Source                                        All

Destination                                All

Service                                       All

Application Category               VoIP

Application                                SIP

URL Category                            Internet Telephony

Outgoing Interface                   wan1

3. Enable Shared Shaper, select the voip shaper created in the previous steps.

4. Enable Reverse Shaper, select the voip shaper created in the previous steps.

5. Select Enable this policy.

6. Select OK.

 

To create a VOIP traffic shaping policy- CLI:

config firewall shaping-policy

edit 1 <shaping policy ID number>

set srcaddr all set dstaddr all set service ALL

set application 34640 <SIP>

set app-category 3 <VoIP>

set url-category 76 <Internet Telephony>

set dstintf wan1 <outgoing interface>

set traffic-shaper voip <high priority custom shaper>

set reverse-traffic-shaper voip <high priority custom shaper>

end

 

To create an FTP traffic shaping policy- web-based manager:

1. Go to Policy & Objects > Traffic Shaping Policy and select Create New.

2. Now create a traffic shaping policy that matches the settings you entered for your security policy:

Source                                        All

Destination                                All

Service                                       FTP

Outgoing Interface                   wan1

3. Enable Shared Shaper, select the FTP shaper created in the previous steps.

4. Enable Reverse Shaper, select the FTP shaper created in the previous steps.

5. Select Enable this policy.

6. Select OK.

 

To create an FTP traffic shaping policy- CLI:

config firewall shaping-policy

edit 2 <shaping policy ID number>

set srcaddr all set dstaddr all set service FTP

set dstintf wan1 <outgoing interface>

set traffic-shaper FTP <low priority custom shaper>

set reverse-traffic-shaper FTP <low priority custom shaper>

end

 

To create a Regular traffic shaping policy- web-based manager:

1. Go to Policy & Objects > Traffic Shaping Policy and select Create New.

2. Now create a traffic shaping policy that matches the settings you entered for your security policy:

Source                                        All

Destination                                All

Service                                       ALL

Outgoing Interface                   wan1

3. Enable Shared Shaper, select the medium-priority shaper.

4. Enable Reverse Shaper, select the medium-priority shaper.

5. Select Enable this policy.

6. Select OK.

 

To create a Regular traffic shaping policy- CLI:

config firewall shaping-policy

edit 3 <shaping policy ID number>

set srcaddr all set dstaddr all set service ALL

set dstintf wan1 <outgoing interface>

set traffic-shaper medium-priority <default shaper>

set reverse-traffic-shaper medium-priority <default shaper>

end

 

To order your traffic shaping policies- CLI:

config firewall shaping-policy move 1 before 2

move 3 below 2 end

Ensure that your high priority SIP/VoIP policy is at the top of the policy list, the low pri- ority FTP shaper comes second, and the medium priority regular-traffic shaper comes last. Restrictive policies should always go above more general access policies.

 

Alternate Method of enabling traffic shaping in the security policy

It is also possible to create three separate security policies for each type of traffic (VoIP, FTP, and regular). You can enable traffic shaping individually within each security policy in the CLI only, like the example shown below:

 

To enable traffic shaping in the security policy – CLI:

config firewall policy edit 6

set srcintf <internal_interface>

set scraddr all set dstintf wan1 set dstaddr all set action accept

set schedule always set service sip

set traffic-shaper voip

set reverse-traffic-shaper voip end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!