Fortigate - Traffic Shaper - Bottleneck

Question

We have a network topology like below.

If we put a traffic shaper of 50 Mbps on Fortigate (Central Site) to limit some traffic (windows update) on site 1 and site 2 and site 1, for examples, in some moments, produces more than 50 Mbps , network is not congested but traffic shaper drops a lot of packets and windows update will fail?

Thanks

atakannatak · Answer

Hi @pacionet ,

This behavior is actually an expected outcome on the traffic shaping (QoS) side. You can find a detailed explanation in the following article:

https://docs.fortinet.com/document/fortigate/7.6.2/administration-guide/297431/traffic-shaping

If needed, you can adjust percentile values based on traffic patterns per interface and classify traffic accordingly. However, during excessive traffic spikes, packet drops will still occur due to maximum bandwidth limitations. For a more detailed configuration guide, refer to the following article:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-a-Traffic-Shaping-profile/ta-p/270056

To determine which traffic shaper is being applied to specific traffic, you can use the diagnose system session list command. For example, if a client with IP 192.168.1.10 is accessing web servers via HTTPS, you can filter and display the relevant session using the following commands:

diagnose system session filter src 192.168.1.10
diagnose system session filter dport 443
diagnose system session list

This will provide detailed session information, including the applied traffic shaper, helping you analyze and troubleshoot traffic shaping policies effectively.

BR.

If my answer provided a solution for you, please mark the reply as solved it so that others can get it easily while searching for similar scenarios.

Atakan ATAK
CCIE #68781

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded