QoS using priority from security policies

QoS using priority from security policies

Configurations implementing QoS using the priority values defined in the security policies are capable of applying bandwidth limits and guarantees.

In addition to configuring traffic shaping, you may also choose to limit the bandwidth accepted by each interface. This can be useful in scenarios where the bandwidth received on source interfaces frequently exceeds the maximum bandwidth limit defined in the security policy. Rather than waste processing power on packets that will get dropped later in the process, you may choose to preemptively police the traffic.

If you decide to implement QoS using security policies rather than ToS bit, the FortiGate unit applies QoS to all packets controlled by the policy. This type of control is less granular than prioritization by ToS bit, but has the benefits of correlating quality of service to a security policy. This correlation enables you to distribute traffic over up to four of the possible 6 priority queues (queue 0 to queue 3), does not require other devices in your network to set or respect the ToS bit, and enables you to configure bandwidth limits and guarantees.

In the following example, we limit the bandwidth accepted by each source interface, limit the bandwidth used by sessions controlled by the security policy, and then configure prioritized queuing on the destination interface based upon the priority in the security policy, subject to alternative assignment to queue 0 when necessary to achieve the guaranteed packet rate.

 

To limit bandwidth accepted by an interface

In the CLI, enter the following commands:

config system interface edit <name_str>

set inbandwidth <rate_int>

next end

 

where <rate_int> is the bandwidth limit in Kb/s. Excess packets will be dropped.

 

To configure bandwidth guarantees, limits, and priorities

1. Go to Policy & Objects > Traffic Shapers and select the Create New “Plus” sign.

2. Select Shared or PerIP.

3. Enter a name for the shaper.

4. Select the Traffic Priority.

High has a priority value of 1, Medium is 2, and Low is 3. While the current packet rate is below Guaranteed

Bandwidth, the FortiGate unit will disregard this setting, and instead use priority queue.

5. Enable Max Bandwidth and enter a value.

Packets greater than this rate will be discarded.

6. Enable Guaranteed Bandwidth and enter a value, if any.

Bandwidth guarantees affect prioritization. While packet rates are less than this rate, they use priority queue 0. If this is not the effect you intend, consider entering a small guaranteed rate, or enter 0 to effectively disable bandwidth guarantees.

7. Enable DSCP and set a value.

8. Select OK.

 

PerIP shapers also include the option to set a maximum number of concurrent con- nections and to set both Forward DSCP and Reverse DSCP.

 

Sample configuration

This sample configuration limits ingressing bandwidth to 500 Kb/s. It also applies separate traffic shapers to FTP and HTTP traffic. In addition to the interface bandwidth limit, HTTP traffic is subject to a security policy bandwidth limit of 200 Kb/s.

All egressing FTP traffic greater than 10 Kb/s is subject to a low priority queue (queue 3), while all egressing HTTP traffic greater than 100 Kb/s is subject to a medium priority queue (queue 2). That is, unless FTP traffic rates are lower than their guaranteed rate, and web traffic rates are greater than their guaranteed rate, FTP traffic is lower priority than web traffic.

Traffic less than these guaranteed bandwidth rates use the highest priority queue (queue 0). Set the inbandwidth limits. This setting is only available in the CLI:

config system interface

edit wan1

set inbandwidth 500 next

end

 

Create traffic shapers for FTP and HTTP.

 

To configure an FTP shaper – web-based manager:

1. Go to Policy & Objects > Traffic Shapers, and select the Create New “Plus” icon.

2. Select Shared.

3. Enter FTP for the name of the shaper.

4. Set Traffic Priority to Low.

5. Select the Guaranteed Bandwidth checkbox and enter 10 Kbps.

6. Select the Maximum Bandwidth checkbox and enter 500 Kbps.

7. Select OK.

8. Select the FTP shaper, right-click it, and select Edit in CLI. Type the following command:

set per-policy end

 

To configure an HTTP shaper – web-based manager:

1. Select the Create New “Plus” icon.

2. Set Type to Shared.

3. Enter HTTP for the name of the shaper.

4. Set Traffic Priority to Medium.

5. Select the Guaranteed Bandwidth checkbox and enter 100 Kbps.

6. Select the Maximum Bandwidth checkbox and enter 200 Kbps.

7. Select OK.

8. Select the HTTP shaper, right-click it, and select Edit in CLI. Type the following command:

set per-policy end

 

To add the FTP shaper to a traffic shaping policy – web-based manager:

1. Go to Policy & Objects > Traffic Shaping Policy and click Create New to create a traffic shaping policy for FTP.

2. Set the Matching Criteria to the following:

Source                                                all

Destination address                        all

Service                                                FTP

3. Under Apply shaper, set the following:

Outgoing interface                            any (The outgoing interface should match the outgoing interface of the security policy you wish to apply shaping to.)

Shared Shaper                           Enable Shared Shaper and select FTP from the dropdown menu.

Reverse Shaper                          Enable Shared Shaper and select FTP from the dropdown menu.

Enable this policy                     Enable this policy.

4. Select OK.

 

To add the HTTP shaper to a traffic shaping policy – web-based manager:

1. Go to Policy & Objects > Traffic Shaping Policyand click Create New to create a traffic shaping policy for HTTP.

2. Set the Matching Criteria to the following:

Source                                                all

Destination address                        all

Service                                                HTTP

3. Under Apply shaper, set the following:

Outgoing interface                            any (The outgoing interface should match the outgoing interface of the security policy you wish to apply shaping to.)

Shared Shaper                           Enable Shared Shaper and select HTTP from the dropdown menu.

Reverse Shaper                          Enable Shared Shaper and select HTTP from the dropdown menu.

Enable this policy                     Enable this policy.

4. Select OK.

5. On the policy list page, move the FTP traffic shaping policy to the top of the list by clicking on the far left column to drag and drop it. The HTTP traffic shaping policy should be below the FTP policy, and more general internet access policies should be at the bottom of the policy list.

 

To configure the FTP and HTTP shapers – CLI:

config firewall shaper traffic-shaper edit FTP

set maximum-bandwidth 500 set guaranteed-bandwidth 10 set per-policy enable

set priority low next

edit HTTP

set maximum-bandwidth 200

set guaranteed-bandwidth 100 set per-policy enable

set priority medium end

 

To add each shaper to a traffic shaping policy- CLI:

config firewall shaping-policy

edit 1 <shaping policy ID number>

set srcaddr all set dstaddr all set service ALL

set dstintf wan1 <outgoing interface>

set traffic-shaper FTP

next

edit 2 <shaping policy ID number>

set srcaddr all set dstaddr all

set service ALL

set dstintf wan1 <outgoing interface>

set traffic-shaper HTTP

next

move 1 before 2 end

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.