Chapter 25 – Traffic Shaping
With the ever-increasing demands on network systems for a number of protocols, including email, HTTP traffic both internally and externally to the internet, voice over IP, FTP, and more, slow traffic is becoming a reality. Important traffic may even be dropped or slowed to an unusable speed. Web traffic delays can result in a loss of revenue for businesses.
Traffic shaping attempts to normalize traffic peaks and bursts to prioritize certain flows over others. There is a physical limitation to the amount of data which can be buffered and to the length of time it can be buffered.
FortiGate units provide Quality of Service (QoS) by applying bandwidth limits and prioritization. Using traffic shaping, you can adjust how your FortiGate unit allocates resources to different traffic types to improve performance and stability of latency sensitive or bandwidth intensive network applications.
This chapter describes Quality of Service (QoS), traffic shaping, FortiGate traffic shaping algorithms, and includes configuration procedures for traffic shaping on FortiGate units.
This guide contains the following sections:
- The purpose of traffic shaping describes traffic shaping theories and quality of service.
- Traffic shaping methods lists different methods of applying traffic shaping within FortiOS, and explains how to use ToS and Differentiated Services.
- Examples provides basic application scenarios for shapers.
- Troubleshooting traffic shaping lists diagnose commands to use for determining if traffic shapers are working correctly.
What‘s new in FortiOS 5.4
New Traffic Shaper Policy Configuration Method (269943)
Previously, traffic shapers were configured in Policy & Objects > Objects > Traffic Shapers and then applied in security policies under Policy & Objects > Policy > IPv4 . In FortiOS 5.4, traffic shapers are now configured in a new traffic shaping section in Policy & Objects > Traffic Shapers.
The way that traffic shapers are applied to policies has changed significantly in 5.4., because there is now a specific section for traffic shaping policies in Policy & Objects > Traffic Shaping Policy. In the new traffic shaping policies, you must ensure that the Matching Criteria is the same as the security policy or policies you want to apply shaping to. The screen shot below shows the new 5.4 GUI interface:
There is also added Traffic Shaper support based on the following:
- Source (Address, Local Users, Groups)
- Destination (Address, FQDN, URL or category)
- Service (General, Web Access, File Access, Email and Network services, Authentication, Remote Access, Tunneling, VoIP, Messaging and other Applications, Web Proxy)
- Application Category
- URL Category
Creating Application Control Shapers
Application Control Shapers were previously configured in the Security Profiles > Application Control section, but for simplicity they are now consolidated in the same section as the other two types of traffic shapers: Shared and Per-IP.
To create an Application Control Shaper, you must first enable application control at the policy level, in Policy & Objects > Policy > [IPv4 or IPv6]. Then, you can create a matching application-based traffic shaping policy that will apply to it, in the new Traffic Shaping section under Policy & Objects > Traffic Shaping Policy.
New attributes added to “firewall shaping-policy” (277030) (275431)
The two new attributes are status and url-category. The status attribute verifies whether the policy is set to enabled or disabled. The url-category attribute applies the shaping-policy to sessions without a URL rating when set to 0, and no web filtering is applied.
config firewall shaping-policy edit 1
set status enable
set url-category [category ID number]
New button added to “Clone” Shapers
You can now easily create a copy of an existing shaper by selecting the shaper and clicking the Clone button.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!