Category Archives: FortiGate

Virtual Domains in NAT/Route mode

Leave a reply

Virtual Domains in NAT/Route mode

By default, a Virtual Domain (VDOM) uses NAT/Route mode. In this mode, the VDOM is installed as a gateway or router between two networks. In most cases, it is used between a private network and the Internet. This allows the VDOM to hide the IP addresses of the private network using network address translation (NAT).

Each VDOM on a FortiGate can be configured for NAT/Route mode or Transparent mode, regardless of the operation mode of other VDOMs on the FortiGate. For more information about Transparent mode, see “Virtual Domains in Transparent mode” on page 2621.

 

This chapter contains the following sections:

  • Using a VDOM in NAT/Route mode
  • Example configuration: VDOM in NAT/Route mode

 

Using a VDOM in NAT/Route mode

Once you have enabled virtual domains and created one or more VDOMs, you need to configure them. Configuring VDOMs on your FortiGate unit includes tasks such as the ones listed here; while you may not require all for your network topology, it is recommended that you perform them in the order given:

  • Changing the management virtual domain
  • Configuring interfaces in a NAT/Route VDOM
  • Configuring VDOM routing
  • Configuring security policies for NAT/Route VDOMs
  • Configuring security profiles for NAT/Route VDOMs

 

Changing the management virtual domain

The management virtual domain is the virtual domain where all the management traffic for the FortiGate unit originates. This management traffic needs access to remote servers, such as FortiGuard services and NTP, to perform its duties. It needs access to the Internet to send and receive this traffic.

 

Management traffic includes, but is not limited to

  • DNS lookups
  • logging to FortiAnalyzer or syslog
  • FortiGuard service
  • sending alert emails
  • Network time protocol traffic (NTP)
  • Sending SNMP traps
  • Quarantining suspicious files and email.

By default the management VDOM is the root domain. When other VDOMs are configured on your FortiGate unit, management traffic can be moved to one of these other VDOMs.

Reasons to move the management VDOM include selecting a non-root VDOM to be your administration VDOM, or the root VDOM not having an interface with a connection to the Internet.

You cannot change the management VDOM if any administrators are using RADIUS authentication.

The following procedure will change the management VDOM from the default root to a VDOM named mgmt_ vdom. It is assumed that mgmt_vdom has already been created and has an interface that can access the Internet.

 

To change the management VDOM – web-based manager:

1. Select Global > System > VDOM.

2. Select the checkbox next to the required VDOM.

3. Select Switch Management.

The current management VDOM is shown in square brackets, “[root]” for example.

 

To change the management VDOM – CLI:

config global

config system global

set management-vdom mgmt_vdom end

Management traffic will now originate from mgmt_vdom.

 

Configuring interfaces in a NAT/Route VDOM

A VDOM must contain at least two interfaces to be useful. These can be physical interfaces or VLAN interfaces. By default, all physical interfaces are in the root VDOM. When you create a new VLAN, it is in the root VDOM by default.

When there are VDOMs on the FortiGate unit in both NAT and Transparent operation modes, some interface fields will be displayed as “-” on Network > Interfaces. Only someone with a super_admin account can view all the VDOMs.

When moving an interface to a different VDOM, firewall IP pools and virtual IPs for this interface are deleted. You should manually delete any routes that refer to this inter- face. Once the interface has been moved to the new VDOM, you can add these ser- vices to the interface again.

When configuring VDOMs on FortiGate units with accelerated interfaces you must assign both interfaces in the pair to the same VDOM for those interfaces to retain their acceleration. Otherwise they will become normal interfaces.

 

This section includes the following topics:

  • Adding a VLAN to a NAT/Route VDOM
  • Moving an interface to a VDOM
  • Deleting an interface
  • Adding a zone to a VDOM

 

Adding a VLAN to a NAT/Route VDOM

The following example shows one way that multiple companies can maintain their security when they are using one FortiGate unit with VLANs that share interfaces on the unit.

This procedure will add a VLAN interface called client1-v100 with a VLAN ID of 100 to an existing VDOM called client1 using the physical interface called port2.

The physical interface does not need to belong to the VDOM that the VLAN belongs to.

 

To add a VLAN subinterface to a VDOM – web-based manager:

  1. 1. Go to Global > Network > Interfaces.
  2. 2. Select Create New.
  3. 3. Enter the following information and select OK:

Name                                           client1-v100

Interface                                     port2

VLAN ID                                      100

Virtual Domain                          Client1

Addressing mode                     Manual

IP/Netmask                                 172.20.120.110/255.255.255.0

Administrative Access             HTTPS, SSH

You will see an expand arrow added to the port2 interface. When the arrow is expanded, the interface shows the client1-v100 VLAN subinterface.

 

To add a VLAN subinterface to a VDOM – CLI:

config global

config system interface edit client1-v100

set type vlan set vlanid 100 set vdom Client1

set interface port2

set ip 172.20.120.110 255.255.255.0 set allowaccess https ssh

end

 

Moving an interface to a VDOM

Interfaces belong to the root VDOM by default. Moving an interface is the same procedure no matter if its moving from the root VDOM or a any other VDOM.

If you have an accelerated pair of physical interfaces both interfaces must be in the same VDOM or you will lose their acceleration.

The following procedure will move the port3 interface to the Client2 VDOM. This is a common action when configuring a VDOM. It is assumed that the Client2 VDOM has already been created. It is also assumed that your FortiGate unit has a port3 interface. If you are using a different model, your physical interfaces may not be named port2, external or port3.

 

To move an existing interface to a different VDOM – web-based manager:

1. Go to Global > Network > Interfaces.

2. Select Edit for the port3 interface.

3. Select Client2 as the new Virtual Domain.

4. Select OK.

 

To move an existing interface to a different VDOM – CLI:

config global

config system interface edit port3

set vdom Client2 end

 

Deleting an interface

Before you can delete a virtual interface, or move an interface from one VDOM to another, all references to that interface must be removed. For a list of objects that can refer to an interface see Virtual Domains Overview.

The easiest way to be sure an interface can be deleted is when the Delete icon is no longer greyed out. If it remains greyed out when an interface is selected, that interface still has objects referring to it, or it is a physical interface that cannot be deleted.

 

To delete a virtual interface – web-based manager:

1. Ensure all objects referring to this interface have been removed.

2. Select Global > Network > Interfaces.

3. Select the interface to delete.

4. Select the delete icon.

 

Adding a zone to a VDOM

Grouping interfaces and VLAN subinterfaces into zones simplifies policy creation. You can configure policies for connections to and from a zone, but not between interfaces in a zone.

Zones are VDOM-specific. A zone cannot be moved to a different VDOM. Any interfaces in a zone cannot be used in another zone. To move a zone to a new VDOM requires deleting the current zone and re-creating a zone in the new VDOM.

The following procedure will create a zone called accounting in the client2 VDOM. It will not allow intra- zone traffic, and both port3 and port2 interfaces belong to this zone. This is a method of grouping and isolating traffic over particular interfaces—it is useful for added security and control within a larger network.

 

To add a zone to a VDOM – web-based manager:

1. In Virtual Domains, select the client2 VDOM.

2. Go to Network > Interfaces.

3. Select Create New > Zone.

4. Enter the following information and select OK:

Zone Name                                 accounting

Block intra-zone traffic             Select

Interface Members                    port3, port2

To add a zone to a VDOM – CLI:

config vdom

edit client2

config system zone edit accounting

set interface port3 port2 set intrazone deny

end

end

 

Configuring VDOM routing

Routing is VDOM-specific. Each VDOM should have a default static route configured as a minimum. Within a VDOM, routing is the same as routing on your FortiGate unit without VDOMs enabled.

When configuring dynamic routing on a VDOM, other VDOMs on the FortiGate unit can be neighbors. The following topics give a brief introduction to the routing protocols, and show specific examples of how to configure dynamic routing for VDOMs. Figures are included to show the FortiGate unit configuration after the successful completion of the routing example.

 

Default static route for a VDOM

The routing you define applies only to network traffic entering non-ssl interfaces belonging to this VDOM. Set the administrative distance high enough, typically 20, so that automatically configured routes will be preferred to the default.

In the following procedure, it is assumed that a VDOM called “Client2” exists. The procedure will create a default static route for this VDOM. The route has a destination IP of 0.0.0.0, on the port3 interface. It has a gateway of 10.10.10.1, and an administrative distance of 20.

The values used in this procedure are very standard, and this procedure should be part of configuring all VDOMs.

 

To add a default static route for a VDOM – web-based manager:

1. In Virtual Domains, select the client2 VDOM.

2. Go to Network > Static Routes.

3. Select Create New.

4. Enter the following information and select OK:

Destination IP/Mask                 0.0.0.0/0.0.0.0

Device                                         port2

Gateway                                     10.10.10.1

Distance                                     20

 

To add a default static route for a VDOM – CLI:

config vdom

edit client2

config router static edit 4

set device port2

set dst 0.0.0.0 0.0.0.0 set gateway 10.10.10.1 set distance 20

end

end

 

Dynamic Routing in VDOMs

Dynamic routing is VDOM-specific, like all other routing. Dynamic routing configuration is the same with VDOMs as with your FortiGate unit without VDOMs enabled, once you are at the routing menu. If you have multiple VDOMs configured, the dynamic routing configuration between them can become quite complex.

VDOMs provide some interesting changes to dynamic routing. Each VDOM can be a neighbor to the other VDOMs. This is useful in simulating a dynamic routing area or AS or network using only your FortiGate unit.

You can separate different types of routing to different VDOMs if required. This allows for easier troubleshooting. This is very useful if your FortiGate unit is on the border of a number of different routing domains.

For more information on dynamic routing in FortiOS, see the Advanced Routing handbook.

Inter-VDOM links must have IP addresses assigned to them if they are part of a dynamic routing configuration. Inter-VDOM links may or may not have IP addresses assigned to them. Without IP addresses, you need to be careful how you configure routing. While the default static route can be assigned an address of 0.0.0.0 and rely instead on the interface, dynamic routing almost always requires an IP address.

 

RIP

The RIP dynamic routing protocol uses hop count to determine the best route, with a hop count of 1 being directly attached to the interface and a hop count of 16 being unreachable. For example if two VDOMs on the same FortiGate unit are RIP neighbors, they have a hop count of 1.

 

OSPF

OSPF communicates the status of its network links to adjacent neighbor routers instead of the complete routing table. When compared to RIP, OSPF is more suitable for large networks, it is not limited by hop count, and is more complex to configure. For smaller OSPF configurations its easiest to just use the backbone area, instead of multiple areas.

 

BGP

BGP is an Internet gateway protocol (IGP) used to connect autonomous systems (ASes) and is used by Internet service providers (ISPs). BGP stores the full path, or path vector, to a destination and its attributes which aid in proper routing.

 

Configuring security policies for NAT/Route VDOMs

Security policies are VDOM-specific. This means that all firewall settings for a VDOM, such as firewall addresses and security policies, are configured within the VDOM.

In VDOMs, all firewall related objects are configured per-VDOM including addresses, service groups, security profiles, schedules, traffic shaping, and so on. If you want firewall addresses, you will have to create them on each VDOM separately. If you have many addresses, and VDOMs this can be tedious and time consuming. Consider using a FortiManager unit to manage your VDOM configuration — it can get firewall objects from a configured VDOM or FortiGate unit, and push those objects to many other VDOMs or FortiGate units. See the FortiManager Administration Guide.

You can customize the Policy display by including some or all columns, and cus- tomize the column order onscreen. Due to this feature, security policy screenshots may not appear the same as on your screen.

 

Configuring a security policy for a VDOM

Your security policies can involve only the interfaces, zones, and firewall addresses that are part of the current VDOM, and they are only visible when you are viewing the current VDOM. The security policies of this VDOM filter the network traffic on the interfaces and VLAN subinterfaces in this VDOM.

A firewall service group can be configured to group multiple services into one service group. When a descriptive name is used, service groups make it easier for an administrator to quickly determine what services are allowed by a security policy.

In the following procedure, it is assumed that a VDOM called Client2 exists. The procedure will configure an outgoing security policy. The security policy will allow all HTTPS, SSH, and DNS traffic for the SalesLocal address group on VLAN_200 going to all addresses on port3. This traffic will be scanned and logged.

 

To configure a security policy for a VDOM – web-based manager:

1. In Virtual Domains, select the client2 VDOM.

2. Go to Policy & Objects > IPv4 Policy.

3. Select Create New.

4. Enter the following information and select OK:

Name                                        Client2-outgoing

Incoming Interface                   VLAN_200

Outgoing Interface                   port3

Source Address                        SalesLocal

Destination Address                 any

Schedule                                    always

Service                                       HTTPS, SSH, DNS

Action                                         ACCEPT

Log Allowed Traffic                  enable

 

To configure a security policy for a VDOM – CLI:

config vdom

edit Client2

config firewall policy edit 12

set srcintf VLAN_200 set srcaddr SalesLocal set dstintf port3(dmz) set dstaddr any

set schedule always set service HTTPS SSH set action accept

set status enable

set logtraffic enable end

end

 

Configuring security profiles for NAT/Route VDOMs

In NAT/Route VDOMs, security profiles are exactly like regular FortiGate unit operation with one exception. In VDOMs, there are no default security profiles.

If you want security profiles in VDOMs, you must create them yourself. If you have many security profiles to create in each VDOM, you should consider using a FortiManager unit. It can get existing profiles from a VDOM or FortiGate unit, and push those profiles down to multiple other VDOMs or FortiGate units. See the FortiManager Administration Guide.

When VDOMs are enabled, you only need one FortiGuard license for the physical unit, and download FortiGuard updates once for the physical unit. This can result in a large time and money savings over multiple physical units if you have many VDOMs.

 

Configuring VPNs for a VDOM

Virtual Private Networking (VPN) settings are VDOM-specific, and must be configured within each VDOM. Configurations for IPsec Tunnel, IPsec Interface, PPTP and SSL are VDOM-specific. However, certificates are shared by all VDOMs and are added and configured globally to the FortiGate unit.

 

Example configuration: VDOM in NAT/Route mode

Company A and Company B each have their own internal networks and their own ISPs. They share a FortiGate unit that is configured with two separate VDOMs, with each VDOM running in NAT/Route mode enabling separate configuration of network protection profiles. Each ISP is connected to a different interface on the FortiGate unit.

 

This network example was chosen to illustrate one of the most typical VDOM configurations. This example has the following sections:

  • Network topology and assumptions
  • General configuration steps
  • Creating the VDOMs
  • Configuring the FortiGate interfaces
  • Configuring the vdomA VDOM
  • Configuring the vdomB VDOM
  • Testing the configuration

Network topology and assumptions

Both companies have their own ISPs and their own internal interface, external interface, and VDOM on the FortiGate unit.

For easier configuration, the following IP addressing is used:

  • all IP addresses on the FortiGate unit end in “.2” such as 10.11.101.2.
  • all IP addresses for ISPs end in “.7”, such as 172.20.201.7.
  • all internal networks are 10.*.*.* networks, and sample internal addresses end in “.55”.

The IP address matrix for this example is as follows.

Address Company A Company B
 

ISP

  

172.20.201.7

  

192.168.201.7
 

Internal network

  

10.11.101.0

  

10.012.101.0
 

FortiGate / VDOM

  

172.20.201.2 (port1)

 

10.11.101.2 (port4)

  

192.168.201.2 (port3)

 

10.012.101.2 (port2)

The Company A internal network is on the 10.11.101.0/255.255.255.0 subnet. The Company B internal network is on the 10.12.101.0/255.255.255.0 subnet.

There are no switches or routers required for this configuration. There are no VLANs in this network topology.

The interfaces used in this example are port1 through port4. Different FortiGate models may have different interface labels. port1 and port3 are used as external interfaces. port2 and port4 are internal interfaces.

The administrator is a super_admin account. If you are a using a non-super_admin account, refer to “Global and per-VDOM settings” to see which parts a non-super_admin account can also configure.

When configuring security policies in the CLI always choose a policy number that is higher than any existing policy numbers, select services before profile-status, and profile-status before profile. If these commands are not entered in that order, they may not be available to enter.

 

General configuration steps

For best results in this configuration, follow the procedures in the order given. Also, note that if you perform any additional actions between procedures, your configuration may have different results.

1. Creating the VDOMs

2. Configuring the FortiGate interfaces

3. Configuring the vdomA VDOM, and Configuring the vdomB VDOM

4. Testing the configuration

 

Creating the VDOMs

In this example, two new VDOMs are created — vdomA for Company A and vdomB for Company B. These VDOMs will keep the traffic for these two companies separate while enabling each company to access its own ISP.

 

To create two VDOMs – web-based manager:

1. Log in with a super_admin account.

2. Go to Global > System > VDOM, and select Create New.

3. Enter vdomA and select OK.

4. Select OK again to return to the VDOM list.

5. Select Create New.

6. Enter vdomB and select OK.

 

To create two VDOMs – CLI:

config vdom edit vdomA next

edit vdomB

end

 

Configuring the FortiGate interfaces

This section configures the interfaces that connect to the companies’ internal networks, and to the companies’ ISPs.

All interfaces on the FortiGate unit will be configured with an IP address ending in “.2” such as 10.11.101.2. This will simplify network administration both for the companies, and for the FortiGate unit global administrator. Also the internal addresses for each company differ in the second octet of their IP address – Company A is 10.11.*, and Company B is 10.12.*.

This section includes the following topics:

  • Configuring the vdomA interfaces
  • Configuring the vdomB interfaces

If you cannot change the VDOM of an network interface it is because something is referring to that interface that needs to be deleted. Once all the references are deleted the interface will be available to switch to a different VDOM. For example a common reference to the external interface is the default static route entry. See Example con- figuration: VDOM in NAT/Route mode.

 

Configuring the vdomA interfaces

The vdomA VDOM includes two FortiGate unit interfaces: port1 and external.

The port4 interface connects the Company A internal network to the FortiGate unit, and shares the internal network subnet of 10.11.101.0/255.255.255.0.

The external interface connects the FortiGate unit to ISP A and the Internet. It shares the ISP A subnet of 172.20.201.0/255.255.255.0.

 

 

To configure the vdomA interfaces – web-based manager:

1. Go to Global > Network > Interfaces.

2. Select Edit on the port1 interface.

3. Enter the following information and select OK:

Virtual Domain                          vdomA

Addressing mode                     Manual

IP/Netmask                                 172.20.201.2/255.255.255.0

4. Select Edit on the port4 interface.

5. Enter the following information and select OK:

Virtual Domain                          vdomA

Addressing mode                     Manual

IP/Netmask                                 10.11.101.2/255.255.255.0

 

To configure the vdomA interfaces – CLI:

config global

config system interface edit port1

set vdom vdomA

set mode static

set ip 172.20.201.2 255.255.255.0 next

edit port4

set vdom ABCDomain set mode static

set ip 10.11.101.2 255.255.255.0 end

 

Configuring the vdomB interfaces

The vdomB VDOM uses two FortiGate unit interfaces: port2 and port3.

The port2 interface connects the Company B internal network to the FortiGate unit, and shares the internal network subnet of 10.12.101.0/255.255.255.0.

The port3 interface connects the FortiGate unit to ISP B and the Internet. It shares the ISP B subnet of 192.168.201.0/255.255.255.0.

 

To configure the vdomB interfaces – web-based manager:

1. Go to Global > Network > Interfaces.

2. Select Edit on the port3 interface.

3. Enter the following information and select OK:

Virtual domain                           vdomB

Addressing mode                     Manual

IP/Netmask                                 192.168.201.2/255.255.255.0

4. Select Edit on the port2 interface.

5. Enter the following information and select OK:

Virtual domain                           vdomB

Addressing mode                     Manual

IP/Netmask                                 10.12.101.2/255.255.255.0

 

To configure the vdomB interfaces – CLI:

config global

config system interface edit port3

set vdom vdomB

set mode static

set ip 192.168.201.2 255.255.255.0 next

edit port2

set vdom vdomB

set mode static

set ip 10.12.101.2 255.255.255.0

end

 

Configuring the vdomA VDOM

With the VDOMs created and the ISPs connected, the next step is to configure the vdomA VDOM. Configuring the vdomA includes the following:

  • Adding vdomA firewall addresses
  • Adding the vdomA security policy
  • Adding the vdomA default route

 

Adding vdomA firewall addresses

You need to define the addresses used by Company A’s internal network for use in security policies. This internal network is the 10.11.101.0/255.255.255.0 subnet.

The FortiGate unit provides one default address, “all”, that you can use when a security policy applies to all addresses as the source or destination of a packet.

 

To add the vdomA firewall addresses – web-based manager:

1. In Virtual Domains, select vdomA.

2. Go to Policy & Objects > Addresses.

3. Select Create New.

4. Enter the following information and select OK:

Address Name                           Ainternal

Type                                            Subnet / IP Range

Subnet / IP Range                     10.11.101.0/255.255.255.0

Interface                                     port4

 

To add the ABCDomain VDOM firewall addresses – CLI:

config vdom edit vdomA

config firewall address edit Ainternal

set type ipmask

set subnet 10.11.101.0 255.255.255.0

end end

 

Adding the vdomA security policy

You need to add the vdomA security policy to allow traffic from the internal network to reach the external network, and from the external network to internal as well. You need two policies for this domain.

 

To add the vdomA security policy – web-based manager:

1. In Virtual Domains, select vdomA.

2. Go to Policy & Objects > IPv4 Policy.

3. Select Create New.

4. Enter the following information and select OK:

Name                                           VDOMA-internal-to-external

Incoming Interface                   port4

Outgoing Interface                   port1

Source Address                        Ainternal

Destination Address                 all

Schedule                                    Always

Service                                       ANY

Action                                         ACCEPT

5. Select Create New.

6. Enter the following information and select OK:

Name                                        VDOMA-external-to-internal

Incoming Interface                   port1

Outgoing Interface                   port4

Source Address                        all

Destination Address                 Ainternal

Schedule                                    Always

Service                                       ANY

Action                                         ACCEPT

 

To add the vdomA security policy – CLI:

config vdom edit vdomA

config firewall policy edit 1

set srcintf port4

set srcaddr Ainternal set dstintf port1

set dstaddr all

set schedule always set service ANY

set action accept set status enable

next edit 2

set srcintf port1 set srcaddr all set dstintf port4

set dstaddr Ainternal set schedule always set service ANY

set action accept set status enable

end

 

Adding the vdomA default route

You also need to define a default route to direct packets from the Company A internal network to ISP A. Every VDOM needs a default static route, as a minimum, to handle traffic addressed to external networks such as the Internet.

The administrative distance should be set slightly higher than other routes. Lower admin distances will get checked first, and this default route will only be used as a last resort.

 

To add a default route to the vdomA – web-based manager:

1. For Virtual Domains, select vdomA

2. Go to Network > Static Routes.

3. Select Create New.

4. Enter the following information and select OK:

Destination IP/Mask                 0.0.0.0/0.0.0.0

Device                                         port1

Gateway                                     172.20.201.7

Distance                                     20

 

To add a default route to the vdomA – CLI:

config vdom edit vdomA

config router static edit 1

set device port1

set gateway 172.20.201.7 end

 

Configuring the vdomB VDOM

In this example, the vdomB VDOM is used for Company B. Firewall and routing settings are specific to a single VDOM.

vdomB includes the FortiGate port2 interface to connect to the Company B internal network, and the FortiGate port3 interface to connect to ISP B. Security policies are needed to allow traffic from port2 to external and from external to port2 interfaces.

This section includes the following topics:

  • Adding the vdomB firewall address
  • Adding the vdomB security policy
  • Adding a default route to the vdomB VDOM

 

Adding the vdomB firewall address

You need to define addresses for use in security policies. In this example, the vdomB VDOM needs an address for the port2 interface and the “all” address.

 

To add the vdomB firewall address – web-based manager:

1. In Virtual Domains, select vdomB.

2. Go to Policy & Objects > Addresses.

3. Select Create New.

4. Enter the following information and select OK:

Address Name                           Binternal

Type                                            Subnet / IP Range

Subnet / IP Range                     10.12.101.0/255.255.255.0

Interface                                     port2

 

To add the vdomB firewall address – CLI:

config vdom edit vdomB

config firewall address edit Binternal

set type ipmask

set subnet 10.12.101.0 255.255.255.0 end

end

 

Adding the vdomB security policy

You also need a security policy for the Company B domain. In this example, the security policy allows all traffic.

 

To add the vdomB security policy – web-based manager:

1. Log in with a super_admin account.

2. In Virtual Domains, select vdomB.

3. Go to Policy & Objects > IPv4 Policy

4. Select Create New.

5. Enter the following information and select OK:

 

Name                                           VDOMB-internal-to-external

Incoming Interface                   port2

Outgoing Interface                   port3

Source Address                        Binternal

Destination Address                 all

Schedule                                    Always

Service                                       ANY

Action                                         ACCEPT

6. Select Create New.

7. Enter the following information and select OK:

Name                                           VDOMB-external-to-internal

Incoming Interface                   port3

Outgoing Interface                   port2

Source Address                        all

Destination Address                 Binternal

Schedule                                    Always

Service                                       ANY

Action                                         ACCEPT

 

To add the vdomB security policy – CLI:

config vdom edit vdomB

config firewall policy edit 1

set srcintf port2

end

set dstintf port3

set srcaddr Binternal set dstaddr all

set schedule always set service ANY

set action accept set status enable

edit 1

set srcintf port3 set dstintf port2 set srcaddr all

set dstaddr Binternal set schedule always set service ANY

set action accept set status enable

end

 

Adding a default route to the vdomB VDOM

You need to define a default route to direct packets to ISP B.

 

To add a default route to the vdomB VDOM – web-based manager:

1. Log in as the super_admin administrator.

2. In Virtual Domains, select vdomB.

3. Go to Network > Static Routes.

4. Select Create New.

5. Enter the following information and select OK:

Destination IP/Mask                 0.0.0.0/0.0.0.0

Device                                         port3

Gateway                                     192.168.201.7

Distance                                     20

 

To add a default route to the vdomB VDOM – CLI:

config vdom edit vdomB

config router static edit 1

set dst 0.0.0.0/0 set device external

set gateway 192.168.201.7 end

end

 

Testing the configuration

Once you have completed configuration for both company VDOMs, you can use diagnostic commands, such as tracert in Windows, to test traffic routed through the FortiGate unit. Alternately, you can use the traceroute command on a Linux system with similar output.

 

Possible errors during the traceroute test are:

  • “* * * Request timed out” – the trace was not able to make the next connection towards the destination fast enough
  • “Destination host unreachable” – after a number of timed-out responses the trace will give up

Possible reasons for these errors are bad connections or configuration errors. For additional troubleshooting, see Troubleshooting Virtual Domains.

Testing traffic from the internal network to the ISP

In this example, a route is traced from the Company A internal network to ISP A. The test was run on a Windows PC with an IP address of 10.11.101.55.

The output here indicates three hops between the source and destination, the IP address of each hop, and that the trace was successful.

From the Company A internal network, access a command prompt and enter this command:

C:\>tracert 172.20.201.7

Tracing route to 172.20.201.7 over a maximum of 30 hops:

1  <10 ms  <10 ms  <10 ms 10.11.101.2

2  <10 ms  <10 ms  <10 ms 172.20.201.2

3  <10 ms  <10 ms  <10 ms 172.20.201.7

Trace complete.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

How to verify the correct route is being used

Leave a reply

How to verify the correct route is being used

If you have more than one default route and wants to make sure that traffic is flowing as expected via the right route, you can run a trace route from a machine in the local area network, this will indicate you the first hop that the traffic goes through.

 

Sample output:

C:\>tracert www.fortinet.com

Tracing route to www.fortinet.com [66.171.121.34]

over a maximum of 30 hops:

 

1 <1 ms <1 ms <1 ms 10.10.1.99

2 1 ms <1 ms <1 ms 172.20.120.2

3 3 ms 3 ms 3 ms static-209-87-254-221.storm.ca [209.87.254.221]

4 3 ms 3 ms 3 ms core-2-g0-2.storm.ca [209.87.239.129]

5 13 ms 13 ms 13 ms core-3-bdi1739.storm.ca [209.87.239.199]

6 12 ms 19 ms 11 ms v502.core1.tor1.he.net [216.66.41.113]

7 22 ms 22 ms 21 ms 100ge1-2.core1.nyc4.he.net [184.105.80.9]

8 84 ms 84 ms 84 ms ny-paix-gni.twgate.net [198.32.118.41]

9 82 ms 84 ms 82 ms 217-228-160-203.TWGATE-IP.twgate.net [203.160.22

8.217]

10 82 ms 81 ms 82 ms 229-228-160-203.TWGATE-IP.twgate.net [203.160.22

8.229]

11 82 ms 82 ms 82 ms 203.78.181.2

12 84 ms 83 ms 83 ms 203.78.186.70

13 84 ms * 85 ms 66.171.127.177

14 84 ms 84 ms 84 ms fortinet.com [66.171.121.34]

15 84 ms 84 ms 83 ms fortinet.com [66.171.121.34] Trace complete.

In this scenario, the first hop contains the IP address 10.10.1.99, which is the internal interface of the FortiGate. The second hop contains the IP address 172.20.120.2, to which the wan1 interface of the FortiGate is connected, so we can conclude that the route via wan1 interface is being used for this traffic.

 

Also debug the packet flow in the CLI shows the route taken for each session.

 

Sample output:

id=20085 trace_id=319 func=vf_ip4_route_input line=1597 msg=”find a route: gw-172.20.120.2 via wan1″

For more information on debuging the packet flow, see How to debug the packet flow.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

How to verify the contents of the routing table (in NAT mode)

1 Reply

How to verify the contents of the routing table (in NAT mode)

When you have some connectivity, or possibly none at all a good place to look for information is the routing table. The routing table is where all the currently used routes are stored for both static and dynamic protocols. If a route is in the routing table, it saves the time and resources of a lookup. If a route is not used for a while and a new route needs to be added, the oldest least used route is bumped if the routing table is full. This ensures the most recently used routes stay in the table. If your FortiGate unit is in Transparent mode, you are unable to perform this step.

If the FortiGate is running in NAT mode, verify that all desired routes are in the routing table: local subnets, default routes, specific static routes, and dynamic routing protocols.

To check the routing table in the web-based manager, use the Routing Monitor by going to Router > Monitor > Routing Monitor.

 

In the CLI, use the command get router info routing-table all. Sample output:

FGT# get router info routing-table all

Codes:

K – kernel, C – connected, S – static, R – RIP, B – BGP O – OSPF, IA – OSPF inter area

N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2

E1 – OSPF external type 1, E2 – OSPF external type 2

i – IS-IS, L1 – IS-IS level-1, L2 – IS-IS level-2, ia – IS-IS inter area

* – candidate default

S* 0.0.0.0/0 [10/0] via 172.20.120.2, wan1

C 10.31.101.0/24 is directly connected, internal

C 172.20.120.0/24 is directly connected, wan1


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Troubleshooting traffic shaping

Leave a reply

Troubleshooting traffic shaping

This chapter outlines some troubleshooting tips and steps to diagnose the shapers and whether they are working correctly. These diagnose commands include:

  • diagnose system tos-based-priority
  • diagnose firewall shaper traffic-shaper
  • diagnose firewall per-ip-shaper
  • diagnose debug flow

 

Interface diagnosis

To optimize traffic shaping performance, first ensure that the network interface’s Ethernet statistics are clean of errors, collisions, or buffer overruns. To check the interface, enter the following diagnose command to see the traffic statistics:

diagnose hardware deviceinfo nic <port_name>

 

Shaper diagnose commands

There are specific diagnose commands you can use to verify the configuration and flow of traffic, including packet loss due to the employed shaper.

All of these diagnose troubleshooting commands are supported in both IPv4 and IPv6.

 

ToS command

Use the following command to list command to view information of the ToS lists and traffic.

diagnose system tos-based-priority

This example displays the priority value currently correlated with each possible ToS bit value. Priority values are displayed in order of their corresponding ToS bit values, which can range between 0 and 15, from lowest ToS bit value to highest.

For example, if you have not configured ToS-based priorities, the following appears…

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

…reflecting that all packets are currently using the same default priority, high (value 0).

If you have configured a ToS-based priority of low (value 2) for packets with a ToS bit value of 3, the following appears…

0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0

…reflecting that most packets are using the default priority value, except those with a ToS bit value of 3.

 

Shared shaper

To view information for the shared traffic shaper for security policies enter the command

diagnose firewall shaper traffic-shaper list

The resultant output displays the information on all available shapers. The more shapers available the longer the list. For example:

name Throughput

maximum-bandwidth 1200000 Kb/sec guaranteed-bandwidth 50000 Kb/sec current-bandwidth 0 B/sec

priority 1

packets dropped 0

Additional commands include:

diagnose firewall shaper traffic-shaper state – provides the total number of traffic shapers on the FortiGate unit.

diagnose firewall shaper traffic-shaper stats – provides summary statistics on the shapers.

Sample output looks like the following:

shapers 9 ipv4 0 ipv6 0 drops 0

 

PerIP shaper

To view information for the per-IP shaper for security policies enter the command

diagnose firewall shaper per-ip-shaper list

The resultant output displays the information on all available per-IP shapers. The more shapers available the longer the list. For example:

name accounting_group

maximum-bandwidth 200000 Kb/sec maximum-concurrent-session 55 packet dropped 0

 

Additional commands include:

diagnose firewall shaper per-ip-shaper state – provides the total number of per-ip shapers on the FortiGate unit.

diagnose firewall shaper per-ip-shaper stats – provides summary statistics on the shapers.

Sample output looks like the following:

memory allocated 3 packet dropped: 0

 

You can also clear the per-ip statistical data to begin a fresh diagnoses using:

diagnose firewall shaper per-ip-shaper clear

 

Packet loss with statistics on shapers

For each shaper there are counters that allow to verify if packets have been discarded. To view this information, in the CLI, enter the command diagnose firewall shaper. The results will look similar to the following output:

diagnose firewall shaper traffic-shaper list name limit_GB_25_MB_50_LQ

maximum-bandwidth 50 Kb/sec guaranteed-bandwidth 25 Kb/sec current-bandwidth 51 Kb/sec priority 3 dropped 1291985

The diagnose command output is different if the shapers are configured either per-policy or shared between policies.

 

For per-IP the output would be:

diagnose firewall shaper per-ip-shaper list

name accounting_group

maximum-bandwidth 200000 Kb/sec maximum-concurrent-session 55 packet dropped 3264220

 

Packet lost with the debug flow

When using the debug flow diagnostic command, there is a specific message information that a packet has exceed the shaper limits and therefor discarded:

 

diagnose debug flow show console enable diagnose debug flow filter addr 10.143.0.5 diagnose debug flow trace start 1000

id=20085 trace_id=11 msg=”vd-root received a packet(proto=17, 10.141.0.11:3735-

>10.143.0.5:5001) from port5.”

id=20085 trace_id=11 msg=”Find an existing session, id-0000eabc, original direction” id=20085 trace_id=11 msg=”exceeded shaper limit, drop”

 

Session list details with dual traffic shaper

When a Security Policy has a different traffic shaper for each direction, it is reflected in the session list output from the CLI:

diagnose system session list

session info: proto=6 proto_state=02 expire=115 timeout=3600 flags=00000000 sock flag=00000000 sockport=0 av_idx=0 use=4

origin-shaper=Limit_25Mbps prio=1 guarantee 25600/sec max 204800/sec traffic 48/sec reply-shaper=Limit_100Mbps prio=1 guarantee 102400/sec max 204800/sec traffic 0/sec ha_id=0 hakey=44020

policy_dir=0 tunnel=/

state=may_dirty rem os rs

statistic(bits/packets/allow_err): org=96/2/1 reply=0/0/0 tuples=2

orgin->sink: org pre->post, reply pre->post dev=2->3/3->2 gwy=10.160.0.1/0.0.0.0 hook=pre dir=org act=dnat 192.168.171.243:2538->192.168.182.110:80(10.160.0.1:80) hook=post dir=reply act=snat 10.160.0.1:80->192.168.171.243:2538(192.168.182.110:80) pos/(before,after) 0/(0,0), 0/(0,0)

misc=0 policy_id=2 auth_info=0 chk_client_info=0 vd=0 serial=00011e81 tos=ff/ff app=0 dd_type=0 dd_rule_id=0

 

Additional Information

  • Packets discarded by the shaper impact flow-control mechanisms like TCP. For more accurate testing results prefer UDP protocol.
  • Traffic shaping accuracy is optimum for security policies without a protection profile where no FortiGate content inspection is processed.
  • Do not oversubscribe an outbandwith throughput. For example, sum[guaranteed BW] < outbandwith. For accuracy in bandwidth calculation, it is required to set the “outbandwidth” parameter on the interfaces. For more information see Bandwidth guarantee, limit, and priority interactions on page 2468.
  • The FortiGate unit is not prioritizing traffic based on the DSCP marking configured in the security policy. However, ToS based prioritizing can be made at ingress. For more information see Traffic shaping methods on page 2476.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

QoS using priority from ToS or differentiated services

Leave a reply

QoS using priority from ToS or differentiated services

Configurations implementing QoS using the priority values defined in either global or specific ToS bit values are not capable of applying bandwidth limits and guarantees, but are capable of prioritizing traffic at per-packet levels, rather than uniformly to all services matched by the security policy.

In addition to configuring traffic prioritization, you may also choose to limit bandwidth being received by each interface. This can sometimes be useful in scenarios where you want to limit traffic levels, but do not want to configure traffic shaping within a security policy. This has the benefit of policing traffic at a point before the FortiGate unit performs most processing.

Note that if you implement QoS using ToS octet rather than security policies, the FortiGate unit applies QoS on a packet by packet basis, and priorities may be different for packets and services controlled by the same security policy. This is more granular control than prioritization by security policies, but has the drawbacks that quality of service is may not be uniform for multiple services controlled by the same security policy, packets will only use up to three of the six possible queues (queue 0 to queue 2), and bandwidth cannot be guaranteed. Other devices in your network must also be able to set or preserve ToS bits.

In this example, we limit the bandwidth accepted by each source interface, and then configure prioritized queuing on the destination interface based upon the value of the ToS bit located in the IP header of each accepted packet.

To limit bandwidth accepted by an interface, in the CLI, enter the following commands:

config system interface edit <name_str>

set inbandwidth <rate_int>

next end

where <rate_int> is the bandwidth limit in Kb/s. Excess packets will be dropped.

To configure priorities, in the CLI, configure the global priority value using the following commands:

config system global

set tos-based-priority {high | low | medium}

end

where high has a priority value of 0 and low is 2.

If you want to prioritize some ToS bit values differently than the global ToS-based priority, configure the priority for packets with that ToS bit value using the following commands:

config system tos-based-priority edit <id_int>

set tos [0-15]

set priority {high | low | medium}

next end

where and tos is the value of the ToS bit in the packet’s IP header, and high has a priority value of 0 and low is

2. Priority values configured in this location will override the global ToS-based priority.

 

Sample configuration

This sample configuration limits ingressing bandwidth to 500 Kb/s. It also queues egressing traffic based upon the ToS bit in the IP header of ingressing packets.

Unless specified for the packet’s ToS bit value, packets use the low priority queue (queue 2). For ToS bit values 4 and 15, the priorities are specified as medium (value 1) and high (value 0), respectively.

config system interface edit wan1

set inbandwidth 500 next

end

config system global

set tos-based-priority low end

config system tos-based-priority edit 4

set tos 4

set priority medium next

edit 15

set tos 15

set priority high next

end

 

Example setup for VoIP

In this example, there are three traffic shaping requirements for a network:

  • Voice over IP (VoIP) requires a guaranteed, high-priority for bandwidth for telephone communications.
  • FTP bursts must be contained so as not to consume any available bandwidth. As such this traffic needs to be throttled to a smaller amount.
  • A consistent bandwidth requirement is needed for all other email and web-based traffic.

To enable this requirement, you need to create three separate shapers and three traffic shaping policies for each traffic type.

In this example, the values used are not recommended values.

 

Creating the traffic shapers

First create the traffic shapers that define the maximum and guaranteed bandwidth. The shared shapers will be used with some applied per-policy and some applied to all policies, to better control traffic.

 

VoIP shaper

The VoIP functionary is a key component to the business as a communication tool and as such requires a guaranteed bandwidth. This shaper will be a high priority shaper.

 

To create a VoIP shaper – web-based manager:

1. Go to Policy & Objects > Traffic Shapers and select Create New.

2. Set the Type to Shared.

3. Enter the Name voip.

4. Set the Traffic Priority to High.

5. Select Maximum Bandwidth and enter 1000 Kb/s.

6. Select Guaranteed Bandwidth and enter 800 Kb/s.

7. Select OK.

8. Select the HTTP shaper, right-click it, and select Edit in CLI. Type the following command:

set per-policy end

 

To create a VoIP shaper – CLI:

config firewall shaper traffic-shaper edit voip

set maximum-bandwidth 1000 set guaranteed-bandwidth 800 set per-policy enable

set priority high end

Setting the shaper to perpolicy ensures that regardless of the number of policies that use this shaper, the defined bandwidth will always be the same. At the same time, the bandwidth is continually guaranteed at 800 Kb/s but if available can be as much as 1000 Kb/s. Setting the priority to high ensures that the FortiGate unit always considers VoIP traffic the most important.

 

FTP shaper

The FTP shaper sets the maximum bandwidth to use to avoid sudden spikes by sudden uploading or downloading of large files, and interfering with other more important traffic.

 

To create a FTP shaper – web-based manager:

1. Go to Policy & Objects > Traffic Shapers and Create New.

2. Set the Type to Shared.

3. Enter the Name ftp.

4. Set the Traffic Priority to Low.

5. Select Maximum Bandwidth and enter 200 Kb/s

6. Select Guaranteed Bandwidth and enter 200 Kb/s.

7. Select OK.

 

 

To create a FTP shaper – CLI:

config firewall shaper traffic-shaper edit ftp

set maximum-bandwidth 200

set guaranteed-bandwidth 200 set priority low

end

 

For this shaper, the maximum and guaranteed bandwidth are set low and to the same value. In this case, the bandwidth is restricted to a specific amount. Setting the traffic priority low ensures that more important traffic will be able to pass before FTP traffic.

 

Regular traffic shaper

The regular shaper sets the maximum bandwidth and guaranteed bandwidth for everyday business traffic such as web and email traffic.

 

To create a regular shaper – web-based manager:

1. Go to Policy & Objects > Traffic Shapers and Create New.

2. Set the Type to Shared.

3. Enter the Name daily_traffic..

4. Set the Traffic Priority to Medium.

5. Select Maximum Bandwidth and enter 600 Kb/s

6. Select Guaranteed Bandwidth and enter 600 Kb/s.

7. Select OK.

 

To create a regular shaper – CLI:

config firewall shaper traffic-shaper edit daily_traffic

set maximum-bandwidth 600

set guaranteed-bandwidth 600 set per-policy enable

set priority medium end

 

For this shaper, the maximum and guaranteed bandwidth are set to a moderate value of 600 Kb/s. It is also set for per policy, which ensures each security policy for day-to-day business traffic has the same distribution of bandwidth.

 

Creating Traffic Shaping Policies

To employ the shapers,create traffic shaping policies that apply to your existing security policy. Create a separate policy for each service and apply the shaper to the outgoing interface you would like to use. For example, a policy for FTP traffic, a policy for SIP and so on.

For the following steps the VoIP traffic shaper is enabled as well as the reverse direction. This ensures that return traffic for a VoIP call has the same guaranteed bandwidth as the outgoing call. The example below shows how to enable each traffic shaper in a traffic shaping policy.

In this example, the traffic shaping policies will apply shaping to the following security policy:

 

Incoming interface                   lan (Internal interface)

Source address                         All

Outgoing interface                   WAN1

Destination address                 All

Schedule                                    always

Service                                       all

Action                                         ACCEPT

 

To create a VOIP traffic shaping policy- web-based manager:

1. Go to Policy & Objects > Traffic Shaping Policy and select Create New.

2. Now create a traffic shaping policy that matches the settings you entered for your security policy:

Source                                        All

Destination                                All

Service                                       All

Application Category               VoIP

Application                                SIP

URL Category                            Internet Telephony

Outgoing Interface                   wan1

3. Enable Shared Shaper, select the voip shaper created in the previous steps.

4. Enable Reverse Shaper, select the voip shaper created in the previous steps.

5. Select Enable this policy.

6. Select OK.

 

To create a VOIP traffic shaping policy- CLI:

config firewall shaping-policy

edit 1 <shaping policy ID number>

set srcaddr all set dstaddr all set service ALL

set application 34640 <SIP>

set app-category 3 <VoIP>

set url-category 76 <Internet Telephony>

set dstintf wan1 <outgoing interface>

set traffic-shaper voip <high priority custom shaper>

set reverse-traffic-shaper voip <high priority custom shaper>

end

 

To create an FTP traffic shaping policy- web-based manager:

1. Go to Policy & Objects > Traffic Shaping Policy and select Create New.

2. Now create a traffic shaping policy that matches the settings you entered for your security policy:

Source                                        All

Destination                                All

Service                                       FTP

Outgoing Interface                   wan1

3. Enable Shared Shaper, select the FTP shaper created in the previous steps.

4. Enable Reverse Shaper, select the FTP shaper created in the previous steps.

5. Select Enable this policy.

6. Select OK.

 

To create an FTP traffic shaping policy- CLI:

config firewall shaping-policy

edit 2 <shaping policy ID number>

set srcaddr all set dstaddr all set service FTP

set dstintf wan1 <outgoing interface>

set traffic-shaper FTP <low priority custom shaper>

set reverse-traffic-shaper FTP <low priority custom shaper>

end

 

To create a Regular traffic shaping policy- web-based manager:

1. Go to Policy & Objects > Traffic Shaping Policy and select Create New.

2. Now create a traffic shaping policy that matches the settings you entered for your security policy:

Source                                        All

Destination                                All

Service                                       ALL

Outgoing Interface                   wan1

3. Enable Shared Shaper, select the medium-priority shaper.

4. Enable Reverse Shaper, select the medium-priority shaper.

5. Select Enable this policy.

6. Select OK.

 

To create a Regular traffic shaping policy- CLI:

config firewall shaping-policy

edit 3 <shaping policy ID number>

set srcaddr all set dstaddr all set service ALL

set dstintf wan1 <outgoing interface>

set traffic-shaper medium-priority <default shaper>

set reverse-traffic-shaper medium-priority <default shaper>

end

 

To order your traffic shaping policies- CLI:

config firewall shaping-policy move 1 before 2

move 3 below 2 end

Ensure that your high priority SIP/VoIP policy is at the top of the policy list, the low pri- ority FTP shaper comes second, and the medium priority regular-traffic shaper comes last. Restrictive policies should always go above more general access policies.

 

Alternate Method of enabling traffic shaping in the security policy

It is also possible to create three separate security policies for each type of traffic (VoIP, FTP, and regular). You can enable traffic shaping individually within each security policy in the CLI only, like the example shown below:

 

To enable traffic shaping in the security policy – CLI:

config firewall policy edit 6

set srcintf <internal_interface>

set scraddr all set dstintf wan1 set dstaddr all set action accept

set schedule always set service sip

set traffic-shaper voip

set reverse-traffic-shaper voip end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

QoS using priority from security policies

Leave a reply

QoS using priority from security policies

Configurations implementing QoS using the priority values defined in the security policies are capable of applying bandwidth limits and guarantees.

In addition to configuring traffic shaping, you may also choose to limit the bandwidth accepted by each interface. This can be useful in scenarios where the bandwidth received on source interfaces frequently exceeds the maximum bandwidth limit defined in the security policy. Rather than waste processing power on packets that will get dropped later in the process, you may choose to preemptively police the traffic.

If you decide to implement QoS using security policies rather than ToS bit, the FortiGate unit applies QoS to all packets controlled by the policy. This type of control is less granular than prioritization by ToS bit, but has the benefits of correlating quality of service to a security policy. This correlation enables you to distribute traffic over up to four of the possible 6 priority queues (queue 0 to queue 3), does not require other devices in your network to set or respect the ToS bit, and enables you to configure bandwidth limits and guarantees.

In the following example, we limit the bandwidth accepted by each source interface, limit the bandwidth used by sessions controlled by the security policy, and then configure prioritized queuing on the destination interface based upon the priority in the security policy, subject to alternative assignment to queue 0 when necessary to achieve the guaranteed packet rate.

 

To limit bandwidth accepted by an interface

In the CLI, enter the following commands:

config system interface edit <name_str>

set inbandwidth <rate_int>

next end

 

where <rate_int> is the bandwidth limit in Kb/s. Excess packets will be dropped.

 

To configure bandwidth guarantees, limits, and priorities

1. Go to Policy & Objects > Traffic Shapers and select the Create New “Plus” sign.

2. Select Shared or PerIP.

3. Enter a name for the shaper.

4. Select the Traffic Priority.

High has a priority value of 1, Medium is 2, and Low is 3. While the current packet rate is below Guaranteed

Bandwidth, the FortiGate unit will disregard this setting, and instead use priority queue.

5. Enable Max Bandwidth and enter a value.

Packets greater than this rate will be discarded.

6. Enable Guaranteed Bandwidth and enter a value, if any.

Bandwidth guarantees affect prioritization. While packet rates are less than this rate, they use priority queue 0. If this is not the effect you intend, consider entering a small guaranteed rate, or enter 0 to effectively disable bandwidth guarantees.

7. Enable DSCP and set a value.

8. Select OK.

 

PerIP shapers also include the option to set a maximum number of concurrent con- nections and to set both Forward DSCP and Reverse DSCP.

 

Sample configuration

This sample configuration limits ingressing bandwidth to 500 Kb/s. It also applies separate traffic shapers to FTP and HTTP traffic. In addition to the interface bandwidth limit, HTTP traffic is subject to a security policy bandwidth limit of 200 Kb/s.

All egressing FTP traffic greater than 10 Kb/s is subject to a low priority queue (queue 3), while all egressing HTTP traffic greater than 100 Kb/s is subject to a medium priority queue (queue 2). That is, unless FTP traffic rates are lower than their guaranteed rate, and web traffic rates are greater than their guaranteed rate, FTP traffic is lower priority than web traffic.

Traffic less than these guaranteed bandwidth rates use the highest priority queue (queue 0). Set the inbandwidth limits. This setting is only available in the CLI:

config system interface

edit wan1

set inbandwidth 500 next

end

 

Create traffic shapers for FTP and HTTP.

 

To configure an FTP shaper – web-based manager:

1. Go to Policy & Objects > Traffic Shapers, and select the Create New “Plus” icon.

2. Select Shared.

3. Enter FTP for the name of the shaper.

4. Set Traffic Priority to Low.

5. Select the Guaranteed Bandwidth checkbox and enter 10 Kbps.

6. Select the Maximum Bandwidth checkbox and enter 500 Kbps.

7. Select OK.

8. Select the FTP shaper, right-click it, and select Edit in CLI. Type the following command:

set per-policy end

 

To configure an HTTP shaper – web-based manager:

1. Select the Create New “Plus” icon.

2. Set Type to Shared.

3. Enter HTTP for the name of the shaper.

4. Set Traffic Priority to Medium.

5. Select the Guaranteed Bandwidth checkbox and enter 100 Kbps.

6. Select the Maximum Bandwidth checkbox and enter 200 Kbps.

7. Select OK.

8. Select the HTTP shaper, right-click it, and select Edit in CLI. Type the following command:

set per-policy end

 

To add the FTP shaper to a traffic shaping policy – web-based manager:

1. Go to Policy & Objects > Traffic Shaping Policy and click Create New to create a traffic shaping policy for FTP.

2. Set the Matching Criteria to the following:

Source                                                all

Destination address                        all

Service                                                FTP

3. Under Apply shaper, set the following:

Outgoing interface                            any (The outgoing interface should match the outgoing interface of the security policy you wish to apply shaping to.)

Shared Shaper                           Enable Shared Shaper and select FTP from the dropdown menu.

Reverse Shaper                          Enable Shared Shaper and select FTP from the dropdown menu.

Enable this policy                     Enable this policy.

4. Select OK.

 

To add the HTTP shaper to a traffic shaping policy – web-based manager:

1. Go to Policy & Objects > Traffic Shaping Policyand click Create New to create a traffic shaping policy for HTTP.

2. Set the Matching Criteria to the following:

Source                                                all

Destination address                        all

Service                                                HTTP

3. Under Apply shaper, set the following:

Outgoing interface                            any (The outgoing interface should match the outgoing interface of the security policy you wish to apply shaping to.)

Shared Shaper                           Enable Shared Shaper and select HTTP from the dropdown menu.

Reverse Shaper                          Enable Shared Shaper and select HTTP from the dropdown menu.

Enable this policy                     Enable this policy.

4. Select OK.

5. On the policy list page, move the FTP traffic shaping policy to the top of the list by clicking on the far left column to drag and drop it. The HTTP traffic shaping policy should be below the FTP policy, and more general internet access policies should be at the bottom of the policy list.

 

To configure the FTP and HTTP shapers – CLI:

config firewall shaper traffic-shaper edit FTP

set maximum-bandwidth 500 set guaranteed-bandwidth 10 set per-policy enable

set priority low next

edit HTTP

set maximum-bandwidth 200

set guaranteed-bandwidth 100 set per-policy enable

set priority medium end

 

To add each shaper to a traffic shaping policy- CLI:

config firewall shaping-policy

edit 1 <shaping policy ID number>

set srcaddr all set dstaddr all set service ALL

set dstintf wan1 <outgoing interface>

set traffic-shaper FTP

next

edit 2 <shaping policy ID number>

set srcaddr all set dstaddr all

set service ALL

set dstintf wan1 <outgoing interface>

set traffic-shaper HTTP

next

move 1 before 2 end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Traffic Shaper Monitor

Leave a reply

Traffic Shaper Monitor

You can view statistical information about traffic shapers and their bandwidth from FortiView > Traffic Shaping.

Refresh the information on the page.

Table View shows the following columns by default: Shaper, Bytes (Sent/Received), Sessions, Bandwidth, or Dropped Bytes. For more display options, right-click on the column header.

Bubble Chart shows you which resources consume the most bandwidth. Double-click on a shaper to view more details. Determine whether more granular shaping is required by looking at the bandwidth usage by sources, destinations, applications, policies, and sessions.

 

FortiView Settings include the following options:

  • Include Local traffic (Realtime Only)
  • Include Unscanned Applications (Applications View Only)
  • Auto update realtime visualizations
  • Interval (seconds)
  • Threat Weight Settings

 

Examples

While it is possible to configure QoS using a combination of security policies and ToS based priorities, and to distribute traffic over all six of the possible queues for each physical interface, the results of those configurations can be more difficult to analyze due to their complexity. In those cases, prioritization behavior can vary by several factors, including traffic volume, ToS (type of service) or differentiated services markings, and correlation of session to a security policy.

The following simple examples illustrate QoS configurations using either prioritization by security policy, or prioritization by ToS bit, but not both. The examples also assume you are not configuring traffic shaping for interfaces that receive hardware acceleration from network processing units (NPU).


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Differentiated Services

Leave a reply

Differentiated Services

Differentiated Services describes a set of end-to-end Quality of Service (QoS) capabilities. End-to-end QoS is the ability of a network to deliver service required by specific network traffic from one end of the network to another. By configuring differentiated services, you configure your network to deliver particular levels of service for different packets based on the QoS specified by each packet.

Differentiated Services (also called DiffServ) is defined by RFC 2474 and 2475 as enhancements to IP networking to enable scalable service discrimination in the IP network without the need for per-flow state and signaling at every hop. Routers that can understand differentiated services sort IP traffic into classes by inspecting the DS field in IPv4 header or the Traffic Class field in the IPv6 header.

You can use the FortiGate Differentiated Services feature to change the DSCP (Differentiated Services Code Point) value for all packets accepted by a policy. The network can use these DSCP values to classify, mark, shape, and police traffic, and to perform intelligent queuing. DSCP features are applied to traffic by configuring the routers on your network to apply different service levels to packets depending on the DSCP value of the packet.

If the differentiated services feature is not enabled, the FortiGate unit treats traffic as if the DSCP value is set to the default (00), and will not change IP packets’ DSCP field. DSCP values are also not applied to traffic if the traffic originates from a FortiGate unit itself.

The FortiGate unit applies the DSCP value and IPsec encryption to the differentiated services (formerly ToS) field in the first word of the IP header. The typical first word of an IP header, with the default DSCP value, is 4500:

  • 4 for IPv4
  • 5 for a length of five words
  • 00 for the default DSCP value

You can change the packet’s DSCP field for traffic initiating a session (forward) or for reply traffic (reverse) and enable each direction separately and configure it in the security policy.

Changes to DSCP values in a security policy effect new sessions. If traffic must use the new DSCP values immediately, clear all existing sessions.

DSCP is enabled using the CLI command:

config firewall policy edit <policy_number>

set diffserv-forward enable

set diffservcode-forward <binary_integer>

set diffserv-reverse enable

set diffservcode-rev <binary_integer>

end

For more information on the different DCSP commands, see the examples below and the CLI Reference. If you only set diffserv-forward and diffserv-reverse without setting the corresponding diffvercode values, the FortiGate unit will reset the bits to zero.

For a list of DSCP values and their ToS equivalents see Differentiated Services on page 2491. DSCP values can also be defined within a shared shaper as a single value, and per-IP shaper for forward and reverse directions.

 

N2

 

 

Fo                    In rti                     te Ga                  r

t
2

 

I

t
 

rti

GG
AN

DSCP examples

 

6

 

 

Fo                      Po rti                        r Ga

te
 

 

t                    P
 

iGG

aa
t6

For all the following DSCP examples, the FortiGate and client PC configuration is the following diagram and used firewall-based DSCP configurations.

Example

In this example, an ICMP ping is executed between User 1 and FortiGate B, through a FortiGate unit. DSCP is disabled on FortiGate B, and FortiGate A contains the following configuration:

config firewall policy edit 2

set srcintf port6 set dstintf port3 set src addr all set dstaddr all set action accept

set schedule always set service ANY

set diffserv-forward enable

set diffservcode-forward 101110

end

 

As a result, FortiGate A changes the DSCP field for outgoing traffic, but not to its reply traffic. The binary DSCP values used map to the following hexadecimal

 

ToS field values, which are observable by a sniffer (also known as a packet tracer):

  • DSCP 000000 is TOS field 0x00
  • DSCP 101110 is TOS field 0xb8, the recommended DSCP value for expedited forwarding (EF)

If you performed an ICMP ping between User 1 and User 2, the following output illustrates the IP headers for the request and the reply by sniffers on each of FortiGate unit’s network interfaces. The right-most two digits of each IP header are the ToS field, which contains the DSCP value.

 

 

 

User 1

              

 

User 2
  4500 4500 45b8 45b8 45b8 45b8  
  4500 4500 4500 4500 4500 4500  

Example

In this example, an ICMP ping is executed between User 1 and FortiGate B, through FortiGate A. DSCP is disabled on FortiGate B, and FortiGate A contains the following configuration:

config firewall policy edit 2

set srcintf port6 set dstintf port3 set src addr all set dstaddr all set action accept

set schedule always set service ANY”

set diffserv-forward enable set diffserv-rev enable

set diffservcode-forward 101110 set diffservcode-rev 101111

end

 

As a result, FortiGate A changes the DSCP field for both outgoing traffic and its reply traffic. The binary DSCP values in map to the following hexadecimal ToS field values, which are observable by a sniffer (also known as a packet tracer):

  • DSCP 000000 is TOS field 0x00
  • DSCP 101110 is TOS field 0xb8, the recommended DSCP value for expedited forwarding (EF)
  • DSCP 101111 is TOS field 0xbc

If you performed an ICMP ping between User 1 and User 2, the output below illustrates the IP headers observed for the request and the reply by sniffers on each of FortiGate A’s and FortiGate B’s network interfaces. The right- most two digits of each IP header are the ToS field, which contains the DSCP value.

 

 

User 1

              

User 2
  4500 4500 45b8 45b8 45b8 45b8  
  45bc 45bc 4500 4500 4500 4500  

 

Example

In this example, an ICMP ping is executed between User 1 and FortiGate B, through FortiGate A. DSCP is enabled for both traffic directions on FortiGate A, and enabled only for reply traffic on FortiGate B. FortiGate A contains the following configuration:

config firewall policy edit 2

set srcintf port6 set dstintf port3 set src addr all set dstaddr all set action accept

set schedule always set service ANY

set diffserv-forward enable

set diffserv-rev enable

set diffservcode-forward 101110 set diffservcode-rev 101111

end

 

FortiGate B contains the following configuration:

config firewall policy edit 2

set srcintf wan2

set dstintf internal set src addr all

set dstaddr all set action accept set schedule always set service ANY

set diffserv-rev enable

set diffservcode-rev 101101 end

 

As a result, FortiGate A changes the DSCP field for both outgoing traffic and its reply traffic, and FortiGate B changes the DSCP field only for reply traffic. The binary DSCP values in this configuration map to the following hexadecimal ToS field values:

  • DSCP 000000 is TOS field 0x00
  • DSCP 101101 is TOS field 0xb4
  • DSCP 101110 is TOS field 0xb8, the recommended DSCP value for expedited forwarding (EF)
  • DSCP 101111 is TOS field 0xbc

If you performed an ICMP ping between User 1 and User 2, the output below illustrates the IP headers observed for the request and the reply by sniffers on each of FortiGate A’s and FortiGate B’s network interfaces. The right- most two digits of each IP header are the ToS field, which contains the DSCP value.

 

 

User 1

              

User 2
  4500 4500 45b8 45b8 45b8 45b8  
  45bc 45bc 45b4 45b4 4500 4500  

 

Example

In this example, HTTPS and DNS traffic is sent from User 1 to FortiGate B, through FortiGate A. DSCP is enabled for both traffic directions on FortiGate A, and enabled only for reply traffic on FortiGate B. FortiGate A contains the following configuration:

config firewall policy edit 2

set srcintf port6 set dstintf port3 set src addr all set dstaddr all set action accept

set schedule always set service ANY

set diffserv-forward enable set diffserv-rev enable

set diffservcode-forward 101110 set diffservcode-rev 101111

end

 

FortiGate B contains the following configuration:

config firewall policy edit 2

set srcintf wan2

set dstintf internal set src addr all

set dstaddr all set action accept set schedule always set service ANY

set diffserv-rev enable

set diffservcode-rev 101101 end

As a result, FortiGate A changes the DSCP field for both outgoing traffic and its reply traffic, but FortiGate B changes the DSCP field only for reply traffic which passes through its internal interface. Since the example traffic does not pass through the internal interface, FortiGate B does not mark the packets. The binary DSCP values in this configuration map to the following hexadecimal ToS field values:

  • DSCP 000000 is TOS field 0x00
  • DSCP 101101 is TOS field 0xb4, which is configured on FortiGate B but not observed by the sniffer because the example traffic originates from the FortiGate unit itself, and therefore does not match that security policy.
  • DSCP 101110 is TOS field 0xb8, the recommended DSCP value for expedited forwarding (EF)
  • DSCP 101111 is TOS field 0xbc

If you sent HTTPS or DNS traffic from User 1 to FortiGate B, the following would illustrate the IP headers observed for the request and the reply by sniffers on each of FortiGate A’s and FortiGate B’s network interfaces. The right-most two digits of each IP header are the ToS field, which contains the DSCP value.

User 1                                                                                                                                    User 2

4500           4500                  45b8                                                       45b8

45bc

45bc

4500

4500

 

ToS and DSCP traffic mapping

There are two types of traffic mapping: Type of Service (ToS) or DSCP (Differentiated Services Code Point). Only one method can be used at a time, with ToS set as the default method. You can set the type used and attributes in the CLI.

 

To set ToS or DSCP traffic mapping

config system global

set traffic-priority {tos | dscp}

set traffic-priority-level {low | medium | high }

end

 

Mapping of DSCP and ToS hexadecimal values for QoS

 

Service Class          DSCP Bits               DSCP Value            ToS Value               ToS Hexidecimal
Network Control       111000                       56-63                         224                             0xE0
Internetwork Con-

trol                             110000                       48-55                         192                             0xC0
Critical – Voice

Data (RTP)

 

 

 

Flash Override

Video Data

 

 

 

 

 

 

 

 

Flash Voice Con- trol

 

 

 

 

 

 

 

 

Immediate Deterministic (SNA)

 

 

 

 

 

 

Priority Con- trolled Load

 

 

 

 

 

 

 

 

Routine – Best

Effort

  

101110                       46                               184                             0xB8
 

101000                       40                               160                             0xA0
 

100010                       34                               136                             0x88
 

100100                       36                               144                             0x90
 

100110                       38                               152                             0x98
 

100000                       32                               128                             0x80
 

011010                       26                               104                             0x68
 

011100                       28                               112                             0x70
 

011110                       30                               120                             0x78
 

011000                       24                               96                               0x60
 

010010                       18                               72                               0x48
 

010100                       20                               80                               0x50
 

010110                       22                               88                               0x58
 

010000                       16                               64                               0x40
 

001010                       10                               40                               0x28
 

001100                       12                               48                               0x30
 

001110                       14                               56                               0x38
 

001000                       8                                 32                               0x20
 

000000                       0                                 0                                 0x00
Routine – Penalty

Box                            000010                       2                                 8                                 0x08

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!