FortiWAN Inbound BM and Outbound BM

Inbound BM and Outbound BM

Bandwidth Management is divided into inbound BM and outbound BM, which are used to control the inbound traffic and outbound traffic respectively on each WAN port. Packets (network streams) that are transferred inward (from WAN to LAN, DMZ or localhost) on a WAN port are counted to inbound traffic; packets that are transferred outward (from LAN, DMZ or localhost to WAN) on a WAN port are counted to outbound traffic. Therefor, both inbound BM and outbound BM are required if you would like to control a connection in the two ways (Bandwidth Management ignores the direction of a connection, the initiator of the connection). BM policy consists of BM classes and filters. A BM class defines the bandwidth to allocate applications on each WAN port, while a BM filter defines the associated application by source, destination and service of the packets. According to the associated inbound/outbound classes, bandwidth is allocated to the inbound/outbound traffic that is defined in an inbound/outbound filter.

Inbound & Outbound Classes

An inbound/outbound class defines how to allocate bandwidth to the specified traffic. Specified traffic associated with the class can be controlled according to the WAN link it passes through and the time it is generated, and bandwidth is allocated according to settings of Guarantee, Max and Priority.

Enable BM Tick the check box to enable Bandwidth Management.
Name Assign a name to bandwidth class. Better use simple names to avoid confusion, e.g. “HTTP” to manage the bandwidth of HTTP service.
Link The WAN link number which bandwidth limitation will be applied to. Traffic of specified applications (defined in inbound and outbound filters) passing through the WAN link will be shaped according to the bandwidth limitation below.
Busy Hour

Settings

Idle Hour

Settings

  This is the bandwidth allocation on a WAN link during defined busy hour (see System > Busyhour Settings for more details, “Busyhour Settings”). Associated traffic passing through the WAN link during the time period will be shaped according to the following settings.
Guaranteed Kbps The guaranteed bandwidth for this class. This secures bandwidth allocated as defined for WAN link in peak hours. This is significant to guarantee the service quality especially for critical applications like VoIP.
Max Kbps The maximum bandwidth for WAN link. Maximum bandwidth is often allocated to services like WWW and SMTP that consume large bandwidth. Note that traffic of the WAN link would be blocked if value of the field is zero.
Priority The priority of the connections on the WAN link. It can be High, Normal, or Low. The connections with higher priority will first be allocated bandwidth.
  This is the bandwidth allocation on a WAN link during defined idle hour (see System > Busyhour Settings for more details, “Busyhour Settings”). Associated traffic passing through the WAN link during the time period will be shaped according to the following settings.
Guaranteed Kbps The guaranteed bandwidth for this class. This secures bandwidth allocated as defined for WAN link in peak hours. This is significant to guarantee the service quality especially for critical applications like VoIP.
Max Kbps The maximum bandwidth for WAN link. Maximum bandwidth is often allocated to services like WWW and SMTP that consume large bandwidth. Note that traffic of the WAN link would be blocked if value of the field is zero.
Priority The priority of the connections on the WAN link. It can be High, Normal, or Low. The connections with higher priority will first be allocated bandwidth.

Inbound & Outbound IPv4/IPv6 Filter

A filter is used to evaluate the traffic passing through FortiWAN by its source, destination and service. Traffic matches the filter will be associated to the corresponding BM class, so that the traffic is shaped according to the bandwidth allocation of the class. The source and destination here mean the actual initiator and terminator of the inbound/outbound traffic, no matter whether the traffic is processed by NAT or Virtual Server.

E Check the box to enable the rule.
Input Port Select a interface that packets are received on for this filter term to evaluate the outbound traffic, or leave it as Any Port. See Using the web UI for details. This field is only available for Outbound IPv4/IPv6 filters.
Source The source used to evaluate traffic (original packets) by where it comes from (See “Using the web UI”).
Destination The destination used to evaluate traffic (original packets) by where it goes to (See “Using the web UI”).
Service The service used to evaluate traffic (original packets) by what the source port and destination port they are. Service matches as long as source port or destination port matches (See “Using the web UI”).

The options GRE and ESP in the Service drop-down menu is for the GRE and ESP packets coming from other VPN devices. GRE and ESP packets generated by FortiWAN are invisible to Bandwidth Management filters.

Classes The BM class that traffic matching the filter (Source, Destination and Service) is associated with.
L Check to enable logging: Whenever the rule is matched, system will record the event to log file.
This entry was posted in Administration Guides, FortiWAN on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.