Category Archives: FortiOS

Differentiated Services

Leave a reply

Differentiated Services

Differentiated Services describes a set of end-to-end Quality of Service (QoS) capabilities. End-to-end QoS is the ability of a network to deliver service required by specific network traffic from one end of the network to another. By configuring differentiated services, you configure your network to deliver particular levels of service for different packets based on the QoS specified by each packet.

Differentiated Services (also called DiffServ) is defined by RFC 2474 and 2475 as enhancements to IP networking to enable scalable service discrimination in the IP network without the need for per-flow state and signaling at every hop. Routers that can understand differentiated services sort IP traffic into classes by inspecting the DS field in IPv4 header or the Traffic Class field in the IPv6 header.

You can use the FortiGate Differentiated Services feature to change the DSCP (Differentiated Services Code Point) value for all packets accepted by a policy. The network can use these DSCP values to classify, mark, shape, and police traffic, and to perform intelligent queuing. DSCP features are applied to traffic by configuring the routers on your network to apply different service levels to packets depending on the DSCP value of the packet.

If the differentiated services feature is not enabled, the FortiGate unit treats traffic as if the DSCP value is set to the default (00), and will not change IP packets’ DSCP field. DSCP values are also not applied to traffic if the traffic originates from a FortiGate unit itself.

The FortiGate unit applies the DSCP value and IPsec encryption to the differentiated services (formerly ToS) field in the first word of the IP header. The typical first word of an IP header, with the default DSCP value, is 4500:

  • 4 for IPv4
  • 5 for a length of five words
  • 00 for the default DSCP value

You can change the packet’s DSCP field for traffic initiating a session (forward) or for reply traffic (reverse) and enable each direction separately and configure it in the security policy.

Changes to DSCP values in a security policy effect new sessions. If traffic must use the new DSCP values immediately, clear all existing sessions.

DSCP is enabled using the CLI command:

config firewall policy edit <policy_number>

set diffserv-forward enable

set diffservcode-forward <binary_integer>

set diffserv-reverse enable

set diffservcode-rev <binary_integer>

end

For more information on the different DCSP commands, see the examples below and the CLI Reference. If you only set diffserv-forward and diffserv-reverse without setting the corresponding diffvercode values, the FortiGate unit will reset the bits to zero.

For a list of DSCP values and their ToS equivalents see Differentiated Services on page 2491. DSCP values can also be defined within a shared shaper as a single value, and per-IP shaper for forward and reverse directions.

 

N2

 

 

Fo                    In rti                     te Ga                  r

t
2

 

I

t
 

rti

GG
AN

DSCP examples

 

6

 

 

Fo                      Po rti                        r Ga

te
 

 

t                    P
 

iGG

aa
t6

For all the following DSCP examples, the FortiGate and client PC configuration is the following diagram and used firewall-based DSCP configurations.

Example

In this example, an ICMP ping is executed between User 1 and FortiGate B, through a FortiGate unit. DSCP is disabled on FortiGate B, and FortiGate A contains the following configuration:

config firewall policy edit 2

set srcintf port6 set dstintf port3 set src addr all set dstaddr all set action accept

set schedule always set service ANY

set diffserv-forward enable

set diffservcode-forward 101110

end

 

As a result, FortiGate A changes the DSCP field for outgoing traffic, but not to its reply traffic. The binary DSCP values used map to the following hexadecimal

 

ToS field values, which are observable by a sniffer (also known as a packet tracer):

  • DSCP 000000 is TOS field 0x00
  • DSCP 101110 is TOS field 0xb8, the recommended DSCP value for expedited forwarding (EF)

If you performed an ICMP ping between User 1 and User 2, the following output illustrates the IP headers for the request and the reply by sniffers on each of FortiGate unit’s network interfaces. The right-most two digits of each IP header are the ToS field, which contains the DSCP value.

 

 

 

User 1

              

 

User 2
  4500 4500 45b8 45b8 45b8 45b8  
  4500 4500 4500 4500 4500 4500  

Example

In this example, an ICMP ping is executed between User 1 and FortiGate B, through FortiGate A. DSCP is disabled on FortiGate B, and FortiGate A contains the following configuration:

config firewall policy edit 2

set srcintf port6 set dstintf port3 set src addr all set dstaddr all set action accept

set schedule always set service ANY”

set diffserv-forward enable set diffserv-rev enable

set diffservcode-forward 101110 set diffservcode-rev 101111

end

 

As a result, FortiGate A changes the DSCP field for both outgoing traffic and its reply traffic. The binary DSCP values in map to the following hexadecimal ToS field values, which are observable by a sniffer (also known as a packet tracer):

  • DSCP 000000 is TOS field 0x00
  • DSCP 101110 is TOS field 0xb8, the recommended DSCP value for expedited forwarding (EF)
  • DSCP 101111 is TOS field 0xbc

If you performed an ICMP ping between User 1 and User 2, the output below illustrates the IP headers observed for the request and the reply by sniffers on each of FortiGate A’s and FortiGate B’s network interfaces. The right- most two digits of each IP header are the ToS field, which contains the DSCP value.

 

 

User 1

              

User 2
  4500 4500 45b8 45b8 45b8 45b8  
  45bc 45bc 4500 4500 4500 4500  

 

Example

In this example, an ICMP ping is executed between User 1 and FortiGate B, through FortiGate A. DSCP is enabled for both traffic directions on FortiGate A, and enabled only for reply traffic on FortiGate B. FortiGate A contains the following configuration:

config firewall policy edit 2

set srcintf port6 set dstintf port3 set src addr all set dstaddr all set action accept

set schedule always set service ANY

set diffserv-forward enable

set diffserv-rev enable

set diffservcode-forward 101110 set diffservcode-rev 101111

end

 

FortiGate B contains the following configuration:

config firewall policy edit 2

set srcintf wan2

set dstintf internal set src addr all

set dstaddr all set action accept set schedule always set service ANY

set diffserv-rev enable

set diffservcode-rev 101101 end

 

As a result, FortiGate A changes the DSCP field for both outgoing traffic and its reply traffic, and FortiGate B changes the DSCP field only for reply traffic. The binary DSCP values in this configuration map to the following hexadecimal ToS field values:

  • DSCP 000000 is TOS field 0x00
  • DSCP 101101 is TOS field 0xb4
  • DSCP 101110 is TOS field 0xb8, the recommended DSCP value for expedited forwarding (EF)
  • DSCP 101111 is TOS field 0xbc

If you performed an ICMP ping between User 1 and User 2, the output below illustrates the IP headers observed for the request and the reply by sniffers on each of FortiGate A’s and FortiGate B’s network interfaces. The right- most two digits of each IP header are the ToS field, which contains the DSCP value.

 

 

User 1

              

User 2
  4500 4500 45b8 45b8 45b8 45b8  
  45bc 45bc 45b4 45b4 4500 4500  

 

Example

In this example, HTTPS and DNS traffic is sent from User 1 to FortiGate B, through FortiGate A. DSCP is enabled for both traffic directions on FortiGate A, and enabled only for reply traffic on FortiGate B. FortiGate A contains the following configuration:

config firewall policy edit 2

set srcintf port6 set dstintf port3 set src addr all set dstaddr all set action accept

set schedule always set service ANY

set diffserv-forward enable set diffserv-rev enable

set diffservcode-forward 101110 set diffservcode-rev 101111

end

 

FortiGate B contains the following configuration:

config firewall policy edit 2

set srcintf wan2

set dstintf internal set src addr all

set dstaddr all set action accept set schedule always set service ANY

set diffserv-rev enable

set diffservcode-rev 101101 end

As a result, FortiGate A changes the DSCP field for both outgoing traffic and its reply traffic, but FortiGate B changes the DSCP field only for reply traffic which passes through its internal interface. Since the example traffic does not pass through the internal interface, FortiGate B does not mark the packets. The binary DSCP values in this configuration map to the following hexadecimal ToS field values:

  • DSCP 000000 is TOS field 0x00
  • DSCP 101101 is TOS field 0xb4, which is configured on FortiGate B but not observed by the sniffer because the example traffic originates from the FortiGate unit itself, and therefore does not match that security policy.
  • DSCP 101110 is TOS field 0xb8, the recommended DSCP value for expedited forwarding (EF)
  • DSCP 101111 is TOS field 0xbc

If you sent HTTPS or DNS traffic from User 1 to FortiGate B, the following would illustrate the IP headers observed for the request and the reply by sniffers on each of FortiGate A’s and FortiGate B’s network interfaces. The right-most two digits of each IP header are the ToS field, which contains the DSCP value.

User 1                                                                                                                                    User 2

4500           4500                  45b8                                                       45b8

45bc

45bc

4500

4500

 

ToS and DSCP traffic mapping

There are two types of traffic mapping: Type of Service (ToS) or DSCP (Differentiated Services Code Point). Only one method can be used at a time, with ToS set as the default method. You can set the type used and attributes in the CLI.

 

To set ToS or DSCP traffic mapping

config system global

set traffic-priority {tos | dscp}

set traffic-priority-level {low | medium | high }

end

 

Mapping of DSCP and ToS hexadecimal values for QoS

 

Service Class          DSCP Bits               DSCP Value            ToS Value               ToS Hexidecimal
Network Control       111000                       56-63                         224                             0xE0
Internetwork Con-

trol                             110000                       48-55                         192                             0xC0
Critical – Voice

Data (RTP)

 

 

 

Flash Override

Video Data

 

 

 

 

 

 

 

 

Flash Voice Con- trol

 

 

 

 

 

 

 

 

Immediate Deterministic (SNA)

 

 

 

 

 

 

Priority Con- trolled Load

 

 

 

 

 

 

 

 

Routine – Best

Effort

  

101110                       46                               184                             0xB8
 

101000                       40                               160                             0xA0
 

100010                       34                               136                             0x88
 

100100                       36                               144                             0x90
 

100110                       38                               152                             0x98
 

100000                       32                               128                             0x80
 

011010                       26                               104                             0x68
 

011100                       28                               112                             0x70
 

011110                       30                               120                             0x78
 

011000                       24                               96                               0x60
 

010010                       18                               72                               0x48
 

010100                       20                               80                               0x50
 

010110                       22                               88                               0x58
 

010000                       16                               64                               0x40
 

001010                       10                               40                               0x28
 

001100                       12                               48                               0x30
 

001110                       14                               56                               0x38
 

001000                       8                                 32                               0x20
 

000000                       0                                 0                                 0x00
Routine – Penalty

Box                            000010                       2                                 8                                 0x08

Type of Service priority

Leave a reply

Type of Service priority

Type of service (ToS) is an 8-bit field in the IP header that enables you to determine how the IP datagram should be delivered, using criteria of Delay, Throughput, Priority, Reliability, and Cost. Each quality helps gateways determine the best way to route datagrams. A router maintains a ToS value for each route in its routing table. The lowest priority ToS is 0; the highest is 7 when bits 3, 4, and 5 are all set to 1. There are other seldom used or reserved bits that are not listed here.

Together these bits are the ToS variable of the tos-based-priority command. The router tries to match the ToS of the datagram to the ToS on one of the possible routes to the destination. If there is no match, the datagram is sent over a zero ToS route. Using increased quality may increase the cost of delivery because better performance may consume limited network resources.

 

Each bit represents the priority as per RFC 1349:

  • 1000 – minimize delay
  • 0100 – maximize throughput
  • 0010 – maximize reliability
  • 0001 – minimize monetary cost

The ToS value is set in the CLI using the commands:

config system tos-based-priority edit <sequence-number>

set tos [0-15]

set priority [high | medium | low]

end

 

Where tos is the value of the type of service bit in the IP datagram header with a value between 0 and 15, and priority is the priority of this type of service priority. These priority levels conform to the firewall traffic shaping priorities, as defined in RFC 1349.

For example, if you want to configure the FortiGate unit so that reliability is the first priority, set the tos value to 4.

config system tos-based-priority edit 1

set tos 4

end

set priority high

 

For a list of ToS values and their DSCP equivalents see Traffic shaping methods on page 2476.

 

Example

config system tos-based-priority edit 1

set tos 1

set priority low next

edit 4

set tos 4

set priority medium next

edit 6

set tos 6

set priority high next

end

 

ToS in FortiOS

Traffic shaping and ToS follow the following sequence:

  • The CLI command tos-based-priority acts as a tos-to-priority mapping. FortiOS maps the ToS to a priority when it receives a packet.
  • Traffic shaping settings adjust the packet’s priority according the traffic.
  • Deliver the packet based on its priority.

 

Traffic Shaping Units of Measurement

Bandwidth speeds are measured in Kilobits per second (Kb/s), and Bytes that are sent/received are measured in megabytes (MB). Occasionally this can cause confusion depending on whether your ISP uses kilobits (kbps), kilobytes (KB), megabits per second (mbps), or gigabits per second (gbps).

 

Download Speeds

  • 1 kilobit per second (kbps) = 8 kilobytes per second (KB/s)
  • 1 megabit per second (mbps) = 1,000,000 bits per second (bps)
  • 1 gigabit per second (gbps) = 1,000 (mbps)

 

File Sizes

  • 1 megabyte (MB) = 1,024 kilobytes (KB)
  • 1 gigabyte (GB) = 1,024 megabytes (MB) or 1,048,576 kilobytes (KB)

 

To change a shaper’s unit of measurement – CLI

config firewall shaper traffic-shaper edit <shaper name>

set bandwidth-unit {kbps | mbps | gbps}

end

Enabling traffic shaping in the security policy

1 Reply

Enabling traffic shaping in the security policy

Historically, FortiOS traffic shapers have always been enabled within a security policy.This is no longer the easiest way to apply shapers, since in FortiOS 5.4 traffic shaping is now configured in the traffic shaping policy section, under Policy & Objects > Traffic Shaping Policy. However, you can still enable traffic shapers within a security policy using CLI commands and it will then appear in the web-based manager afterwards. The shapers always go into effect after any DoS detection policies, and before any routing or packet scanning occurs.

Traffic shaping is also supported for IPv6 policies.

This is not the recommended method, as it is easier to keep track of and order your traffic shaping policies if you configure them within a traffic shaping policy.

 

To enable traffic shaping within a security policy- CLI:

config firewall policy edit <policy number>

set traffic-shaper <shaper name>

set reverse-traffic-shaper <shaper name>

set per-ip-shaper <per IP shaper name>

end

Shared shapers affect outbound traffic heading to a destination. To affect inbound traffic , or downloads, enable the Reverse Shaper, too. For more information, see Reverse direction traffic shaping on page 2487.

Reverse direction traffic shaping

Leave a reply

Reverse direction traffic shaping

The shaper you select in the traffic shaping policy (shared shaper) will affect the traffic in the direction defined in the policy. For example, if the source port is lan and the destination is wan1, the shaping affects the flow in this direction only — affecting the upload speed of the outbound traffic. By selecting Shared Traffic Shaper Reverse Direction, you can define the traffic shaper for the policy in the opposite direction to affect the download speed of the inbound traffic. In this example, from wan 1 to lan.

 

To add a reverse shaper

  1. 1. Go to Policy & Objects > Traffic Shaping Policy.
  2. 2. Click Create New or select an existing policy and click Edit.
  3. 3. Set the Matching Criteria to match the interfaces of any security policies you wish to affect.
  4. 4. Navigate to the Apply shaper section, enable the Shared Shaper, and select a shaper from the dropdown menu.
  5. 5. Enable the Reverse Shaper and select a shaper from the dropdown menu.
  6. 6. Select OK.

 

Setting the reverse direction only

There may be instances where you only need traffic shaping for incoming connections, which is in the “reverse” direction of typical traffic shapers.

 

To add a reverse shaper – web-based manager:

1. Go to Policy & Objects > Traffic Shaping Policy.

2. Click Create New or select an existing policy and click Edit.

3. Set the Matching Criteria to match the interfaces of any security policies you wish to affect.

4. Navigate to the Apply shaper section, enable the Reverse Shaper and select a shaper from the dropdown menu.

5. Select OK.

 

To configure a reverse-only shaper in a traffic shaping policy – CLI:

config firewall shaping-policy edit <policy_number>

set reverse-traffic-shaper medium-priority end

 

To configure a reverse-only shaper within a security policy- CLI:

config firewall policy edit <policy_number>

set traffic-shaper-reverse <shaper_name>

end

Application control shaping

Leave a reply

Application control shaping

Traffic shaping is also possible for specific applications, too. Application control shaping works in conjunction with a Shared Shaper or Per-IP Shaper. You must create a shaper with the bandwidth settings you would like to enforce or edit one of the predefined shapers in the Policy & Objects > Traffic Shapers menu.

Traffic shaping policies allow you to enable these shapers and configure application control options. In the traffic shaping policy, you can set an Application Category, Application, and URL Category. You must also specify which security policies to apply your shaper to by setting the Matching Criteria.You can create a traffic shaping policy in the Policy & Objects > Traffic Shaping Policy section.

For application control shaping to work, application control must be enabled in a security policy, through Policy & Objects > IPv4 Policy or Policy & Objects > IPv6 Policy under Security Profiles.

Also, application control shaping will only affect applications that are set to pass in the Security Profiles > Application Control menu.

For more information on application control, see the FortiOS Chapter 22 – Security Profiles Guide.

 

Example

This example sets the traffic shaping definition for Facebook to a medium priority, a default traffic shaper.

 

To add traffic shaping for Facebook – web-based manager:

1. Go to Policy & Objects > IPv4 Policy to create a general Internet access security policy.

2. Select the Create New “Plus” icon in the upper right corner of the screen to create a new security policy (or edit an existing Internet access policy).

3. Set the following to enable application control within a security policy:

Name                                         <Enter a descriptive name.>

Incoming Interface                     Internal

Source address                          All

Outgoing interface                     wan1

Destination address                 all

Schedule                                     Always

Service                                         Any

Action                                          Accept

Application Control                   Under Security Profiles, enable Application Control and select the default application control profile.

4. Select OK.

5. Go to Policy & Objects > Traffic Shaping Policy and the Create New “Plus” icon to create a new traffic shaping policy.

6. To apply your traffic shaping policy to the security policy you created earlier set the Matching Criteria to the following:

Source                                              all

Destination address                      all

Service                                              ALL

Application Category                     Social.Media

Application                                      Facebook

URL Category                                  Social Networking

7. Under Apply shaper, set the following:

Outgoing interface                            any

(The outgoing interface should match the outgoing interface of the security policy you wish to apply shaping to.)

Shared Shaper                           Enable Shared Shaper and select mediumpriority from the drop down menu.

Reverse Shaper                          Enable Shared Shaper and select mediumpriority from the drop down menu.

Enable this policy                     Enable this policy.

8. Select OK.

9. On the policy list page, move the facebook traffic shaping policy to the top of the list by clicking on the far left column to drag and drop it.

 

To create a traffic shaping policy for Facebook – CLI:

config firewall shaping-policy

edit 1 <shaping policy ID number>

set srcaddr all set dstaddr all set service ALL

set application 15832

set app-category 23 <Social.Media>

set url-category 37 <Social Networking> set dstintf wan1 <outgoing interface> set traffic-shaper medium-priority

set reverse-traffic-shaper medium-priority end

Per-IP shaping

5 Replies

PerIP shaping

Traffic shaping by IP enables you to apply traffic shaping to all source IP addresses in the security policy. As well as controlling the maximum bandwidth users of a selected policy, you can also define the maximum number of concurrent sessions.

Per-IP traffic shaping enables you limit the behavior of every member of a policy to avoid one user from using all the available bandwidth – it now is shared within a group equally. Using a per-IP shaper avoids having to create multiple policies for every user you want to apply a shaper. Per-IP traffic shaping is not supported over NP2 interfaces.

 

PerIP traffic shaping configuration settings

To configure per-IP traffic shaping go to Policy & Objects > Traffic Shapers > Per-IP and select the CreatNew “Plus” sign.

Type                                            Select PerIP.

Name                                           Enter a name for the per-IP traffic shaper.

Maximum Bandwidth                The maximum bandwidth instructs the security policy what the largest amount of traffic allowed using the policy. Depending on the service or the users included for the security policy, this number can provide a larger or smaller throughput depending on the priority you set for the shaper.

Maximum Concurrent Con- nections

Setting Maximum Bandwidth to 0 (zero) provides unlimited bandwidth.

Enter the maximum allowed concurrent connection.
Forward DSCP Reverse DSCP

Enter the number for the DSCP value. You can use the FortiGate Dif- ferentiated Services feature to change the DSCP (Differentiated Services Code Point) value for all packets accepted by a policy. The network can use these DSCP values to classify, mark, shape, and police traffic, and to per- form intelligent queuing. DSCP features are applied to traffic by configuring the routers on your network to apply different service levels to packets depending on the DSCP value of the packet. For more information, see Traffic shaping methods.

 

Example

The following steps create a Per-IP traffic shaper called “Accounting” with a maximum traffic amount of 720,000 Kb/s, and the number of concurrent sessions of 200.

 

To create the shared shaper – web-based manager:

1. Go to Policy & Objects > Traffic Shapers and select the Create New “Plus” Icon.

2. Set the Type to PerIP.

3. Enter the Name Accounting.

4. Enable the Maximum Bandwidth and enter the value 720000.

5. Enable the Maximum Concurrent Sessions and enter the value 200.

6. Select OK.

 

To create the shared shaper – CLI:

config firewall shaper per-ip-shaper edit Accounting

set max100-bandwidth 720000

set max-concurrent-session 200 end

 

Adding a Per-IP traffic shaper to a traffic shaping policy

Per-IP traffic shaping is supported by IPv6 security policies. You can add any Per-IP traffic shaper to an IPv6 security policy in the CLI.

 

Example

The following steps show you how to add an existing Per-IP traffic shaper to an IPv6 security policy. Make sure that you have already created a Per-IP traffic shaper under Policy & Objects > Traffic Shapers.

 

To add a Per-IP traffic shaper to an IPv6 security policy – web-based manager:

1. Go to Policy & Objects > IPv6 Policy and click the Create New “Plus” icon to create an internet access policy.

2. Set the following:

 

Name                                            Enter a descriptive name.

Incoming Interface                        Internal

Source address                              All

Outgoing interface                        wan1

Destination address                     all

Schedule                                         Always

Service                                            Any

Action                                              Accept

3. Select OK.

4. Go to Policy & Objects > Traffic Shaping Policy and the Create New “Plus” icon to create a new traffic shaping policy.

5. To apply your traffic shaping policy to the security policy you created earlier set the Matching Criteria to the following:

Source                                                 all

Destination address                         all

Service                                                ALL

Application Category                        

Application                                         

URL Category                                     

6. Under Apply shaper, set the following:

 

Outgoing interface                            any

(The outgoing interface should match the outgoing interface of the security policy you wish to apply shaping to.)

Shared Shaper                           

Reverse Shaper                          

PerIP Shaper                             Enable PerIP Shaper and select your shaper from the dropdown menu.

Enable this policy                     Enable this policy.

7. Select OK.

8. On the policy list page, move the Per-IP Shaper to the top of the list by clicking on the far left column to drag and drop it.

There are two methods to configure traffic shaping in the CLI. You can add a Per-IP shaper directly to an IPv6 security policy, or you can add a Per-IP shaper to a traffic shaping policy. The second method will allow you to apply traffic shaping based on the interface and can therefore affect multiple security policies easily. The first method requires that you enable traffic shaping individually in ALL policies using the same two interfaces.

 

To add a Per-IP traffic shaper to an IPv6 security policy- CLI:

config firewall policy6

edit <security policy ID number>

set per-ip-shaper <per IP shaper name>

end

 

To add a Per-IP traffic shaper to an IPv6 traffic shaping policy -CLI:

config firewall shaping-policy

edit 1 <security policy ID number>

set ip-version 6

set srcaddr <source address>

set dstaddr <destination address>

set service <service name>

set dstintf <outgoing interface>

set per-ip-shaper <per IP shaper name>

end

Shared policy shaping

Leave a reply

Shared policy shaping

Traffic shaping by security policy enables you to control the maximum and/or guaranteed throughput for any security policies specified in the Traffic Shaping Policy.

When configuring a shaper, you can select to apply the bandwidth shaping per policy or for all policies. Depending on your selection, the FortiGate unit will apply the shaping rules differently.

By default shared shapers apply shaping evenly to all policies using it. For Per policy and All policies using this shaper options to appear in the web-based interface, you must first enable it in the CLI. Go to Policy & Objects > Traffic Shapers and right-click on the shaper to edit it in the CLI. Enter:

set per-policy enable end

 

Per policy

When selecting a shared shaper to be per policy, the FortiGate unit will apply the shaping rules defined to each security policy individually.

For example, if a shaper is set to per policy with a maximum bandwidth of 1000 Kb/s and applied to four security policies, each policy has the same maximum bandwidth of 1000 Kb/s.

Per policy traffic shaping is compatible with client/server (active-passive) transparent mode WAN optimization rules. Traffic shaping is ignored for peer-to-peer WAN optimization and for client/server WAN optimization not operating in transparent mode.

 

For all policies using a shaper

When selecting a shared shaper to be for all policies –All Policies using this shaper – the FortiGate unit applies the shaping rules to all policies using the same shaper. For example, the shaper is set to be per policy with a maximum bandwidth of 1000 Kb/s. There are four security policies monitoring traffic through the FortiGate unit. All four have the shaper enabled. Each security policy must share the defined 1000 Kb/s, and is set on a first come, first served basis. For example, if policy 1 uses 800 Kb/s, the remaining three must share 200 Kb/s. As policy 1 uses less bandwidth, it is opened up to the other policies to use as required. Once used, any other policies will encounter latency until free bandwidth opens from a policy currently in use.

 

Maximum and guaranteed bandwidth

The maximum bandwidth instructs the security policy what the largest amount of traffic allowed using the policy. Depending on the service or the users included for the security policy, this number can provide a larger or smaller throughput depending on the priority you set for the shaper.

The Maximum Bandwidth can be set to a value of between 1 and 16776000 kbit/s. The Web-Based Manager gives an error if any value outside of this range is used, but in the CLI a value of 0 can be entered. Setting maximum-bandwidth to 0 (zero) prevents any traffic from going through the policy.

The guaranteed bandwidth ensures there is a consistent reserved bandwidth available for a given service or user. When setting the guaranteed bandwidth, ensure that the value is significantly less than the bandwidth capacity of the interface, otherwise no other traffic will pass through the interface or very little an potentially causing unwanted latency.

 

Traffic priority

Select a Traffic Priority of high, medium or low, so the FortiGate unit manages the relative priorities of different types of traffic. For example, a policy for connecting to a secure web server that needed to support e-commerce traffic should be assigned a high traffic priority. Less important services should be assigned a low priority. The firewall provides bandwidth to low-priority connections only when bandwidth is not needed for high-priority connections.

Be sure to enable traffic shaping on all security policies. If you do not apply any traffic shaping rule to a policy, the policy is set to high priority by default. Distribute security policies over all three priority queues.

 

Traffic shaping policy order

The traffic shaping policies must also be placed in the correct order in the traffic shaping policy list page to get the desired results. It is necessary to arrange your traffic shaping policies into a sequence that places your more granular policies above general internet access policies. For example, you would place any policies with application control shaping at the top of the traffic shaping policy list. More general traffic shaping policies with shared policy shapers and/or Per-IP shapers would follow.

The policy list page is located under Policy & Objects > Traffic Shaping Policy. You can change the order of your policies by selecting the far left column to move the policy up or down. Make sure that the Seq.# column is shown on your menu to easily verify a policy’s position in the sequence.

The following example illustrates how to order your policies. The high priority VoIP traffic shaping policy is placed at the top of the list, followed by restrictive policies to control streaming media, and your general internet access policy is placed last.

 

Traffic Shaping Policy Configuration Settings

To configure a traffic shaping policy go to Policy & Objects > Traffic Shaping Policy and select the Create New “Plus” sign to create a new traffic shaping policy.

Set the “Matching Criteria” to the default options shown below or specify the criteria so that it matches a specific security policy.

Source                                        *all (default)

Destination                                *all (default)

Service                                       *ALL (default)

Application Category               Choose an application category to apply shaping to a specific category of applications. For example, P2P, Social.Media,or VoIP.

Application                                Choose an application to specify which applications you wish to apply traffic shaping to. For example, YouTube, Vimeo, or Facebook.

URL Category                            Choose a URL category to block a subset of applications. For example, potentially liable websites, security risks, or bandwidth consuming services.

Set Apply shaper to the following:

Outgoing Interface                   *any (Set this to the external interface you wish to apply shaping to. For example, wan1 is often used.)

Shared Shaper

Choose one of the default shared shapers: guarantee-100kbps, high-pri- ority, medium-priority, low-priority, shared-1M-pipe or create your own under Policy & Objects > Traffic Shapers. Shared Shapers share the alloted bandwidth with any security policies using them (unless they are set to per- policy in the CLI). This affects uploads or outbound traffic.

Reverse Shaper                         Choose one of the default shared shapers: guarantee-100kbps, high-pri- ority, medium-priority, low-priority, shared-1M-pipe, or create your own under Policy & Objects > Traffic Shapers. This affects downloads or inbound traffic.

PerIP Shaper

Enable a Per-IP Shaper if you want to apply shaping by bandwidth man- agement by user IP addresses. Shapers are created under Policy & Objects > Traffic Shapers. Per-IP shapers affect downloads and uploads.

Enable this policy                     Policies are enabled by default, but if you wish to disable a traffic shaping policy de-select it here.

 

To create the traffic shaping policy – CLI:

config firewall shaping-policy edit <shaping policy ID>

set srcaddr <source address>

set dstaddr <destination address> set service <service name> application <application name>

app-category <application category ID list>

url-category <URL category ID list> dstintf <destination interface list> traffic-shaper <shared shaper name>

traffic-shaper-reverse <reverse traffic shaper name>

per-ip-shaper <per IP shaper name>

end

 

VLAN, VDOM and virtual interfaces

Policy-based traffic shaping does not use queues directly. It shapes the traffic and if the packet is allowed by the security policy, then a priority is assigned. That priority controls what queue the packet will be put in upon egress. VLANs, VDOMs, aggregate ports and other virtual devices do not have queues and as such, traffic is sent directly to the underlying physical device where it is queued and affected by the physical ports. This is also the case with IPsec connections.

 

Shared traffic shaper configuration settings

To configure a shared traffic shaper go to Policy & Objects > Traffic Shapers and select the Create New “Plus” sign to create a new traffic shaper.

Type                                            Select Shared.

Name                                           Enter a name for the traffic shaper.

Apply Shaper                             When selecting a shaper to be Per Policy, the FortiGate unit will apply the shaping rules defined to each security policy individually. For example, if a shaper is set to per policy, with a maximum bandwidth of 1000 Kb/s, any security policies that have that shaper enabled will get 1000 Kb/s of band- width each.

When selecting a shaper to be for all policies – For All Policies Using This Shaper – the FortiGate unit applies the shaping rules to all policies using the same shaper. For example, the shaper is set to be per policy with a maximum bandwidth of 1000 Kb/s. There are four security policies mon- itoring traffic through the FortiGate unit. All four have the shaper enabled. Each security policy must share the defined 1000 Kb/s, and is set on a first come, first served basis. For example, if policy 1 uses 800 Kb/s, the remain- ing three must share 200 Kb/s. As policy 1 uses less bandwidth, that open bandwidth becomes available to the other policies to use as required. Once used, any other policies will encounter latency until free bandwidth opens from a policy currently in use.

 

Traffic Priority

Select level of importance Priority so the FortiGate unit manages the rel- ative priorities of different types of traffic. For example, a policy for con- necting to a secure web server needed to support e-commerce traffic should be assigned a high traffic priority. Less important services should be assigned a low priority.

If you do not apply any traffic shaping priority, the priority is set to high pri- ority by default.

Maximum Bandwidth                The maximum bandwidth instructs the security policy what the largest amount of traffic allowed using the policy. Depending on the service or the users included for the security policy, this number can provide a larger or smaller throughput depending on the priority you set for the shaper.

Setting Maximum Bandwidth to 0 (zero) provides unlimited bandwidth.

 

Guaranteed Bandwidth

The guaranteed bandwidth ensures that a consistent reserved bandwidth is available for a given service or user. Ensure that you set the bandwidth to a value that is significantly less than the bandwidth capacity of the interface. Otherwise little to no traffic will pass through the interface and potentially cause unwanted latency.

Setting Guaranteed Bandwidth to 0 (zero) provides unlimited bandwidth.

DSCP                                          Enter the number for the DSCP value. You can use the FortiGate Dif- ferentiated Services feature to change the DSCP (Differentiated Services Code Point) value for all packets accepted by a policy. The network can use these DSCP values to classify, mark, shape, and police traffic, and to per- form intelligent queuing. DSCP features are applied to traffic by configuring the routers on your network to apply different service levels to packets depending on the DSCP value of the packet. For more information, see Traffic shaping methods.

 

Shared Shaper Per Policy Example

The following steps creates a Per Policy traffic shaper called “Throughput” with a maximum traffic amount of 720,000 Kb/s, and a guaranteed traffic of 150,000 Kb/s with a high traffic priority.

 

To create the shared shaper – web-based manager:

1. Go to Policy & Objects > Traffic Shapers and select the Create New “Plus” sign.

2. Set the Type to Shared.

3. Enter the Name Throughput.

4. Set the Apply shaper field to Per Policy.

 

By default shared shapers apply shaping evenly to all policies using it. For Per policy and All policies using this shaper options to appear in the web-based interface, you must first enable it in the CLI. Go to Policy & Objects > Traffic Shapers and right-click on the shaper to edit it in the CLI. Enter:

set per-policy enable end

5. Set the Traffic Priority to High.

6. Select the Maximum Bandwidth check box and enter the value 150000.

7. Select the Guaranteed Bandwidth check box and enter the value 120000.

8. Select OK.

 

To create the shared shaper – CLI:

config firewall shaper traffic-shaper edit Throughput

set per-policy enable

set maximum-bandwidth 150000

set guaranteed-bandwidth 120000 set priority high

end

Traffic shaping methods

Leave a reply

Traffic shaping methods

In FortiOS, there are three types of traffic shaping configurations. Each has a specific function, and all can be used together in varying configurations. Policy shaping enables you to define the maximum bandwidth and the guaranteed bandwidth set for a security policy. Per-IP shaping enables you to define traffic control on a more granular level. Application traffic shaping goes further, enabling traffic controls on specific applications or application groupings.

This chapter describes the types of traffic shapers and how to configure them in the web-based manager and the CLI.

To configure traffic shaping in the web-based manager, you must enable the Traffic Shaping feature under System > Feature Select.

 

Traffic shaping options

When configuring traffic shaping for your network, there are three different methods to control the flow of network traffic to ensure that the desired traffic gets through while also limiting bandwidth for less important or bandwidth consuming traffic. The three methods are the following:

  • Shared policy shaping – bandwidth management by security policies
  • PerIP shaping – bandwidth management by user IP addresses
  • Application control shaping – bandwidth management by application

Shapers allow you to define how traffic will flow by setting the traffic priority, bandwidth and DSCP options. Shared policy shapers and Per-IP shapers are created under Policy & Objects > Traffic Shapers.

Traffic Shapers are then enabled within the traffic shaping policy, under Policy & Objects > Traffic Shaping Policy. Application control shaping can be applied to any traffic shaping policy, under Policy & Objects > Traffic Shaping Policy. You can control traffic by application category, application, and/or URL category.

To apply application control shaping, you must first enable application control at the policy level, under Policy & Objects > IPv4 Policy.

Traffic shaping policies allow you to apply traffic shaping measures to any traffic matching your criteria. The criteria must specify a source, a destination, a service, and the outgoing interface. Also, at least one type of shaper must be enabled to create a traffic shaping policy.

The three different traffic shaping options offered by the FortiGate unit can be enabled at the same time within a single traffic shaping policy. Generally, the hierarchy for traffic shapers in FortiOS is:

  • Application control shaper
  • Shared policy shaper
  • er-IP shaper

Within this hierarchy, if an application control list has a traffic shaper defined, it will always have precedence over any other policy shaper. For example, the Facebook application control example shown in Application control shaping on page 2485 will supersede any security policy enabled traffic shapers. While the Facebook application may reach its maximum bandwidth, the user can still have the bandwidth room available from the Shared Shaper and, if enabled, the Per-IP shaper.

Equally, any security policy shared shaper will have precedence over any per-IP shaper. However, traffic that exceeds any of these shapers will be dropped. For example, the policy shaper will take effect first, however, if the per-IP shaper limit is reached first, then traffic for that user will be dropped even if the shared shaper limit for the policy has not been exceeded.