Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

RamoFlor
New Contributor

Created on ‎03-02-2020 10:16 AM

Fortigate as a bandwidth controller

Hello, maybe someone can guide me, I want to use a fortigate (box or VM) to dedicate it to the task of controlling the bandwidth of my users. What should I take into account to determine which box or VM is best suited?
Labels:
1116
0 Kudos
14 REPLIES 14
makco10
Contributor II

Created on ‎03-02-2020 02:31 PM

Hello,

There are some criteria that you must consider for the Appliance Fortigate (Box)

- FortiASIC
- Physical ports

For the VM look here: https://www.fortinet.com/br/products/virtualized-next-generation-firewall/faqs.html

Regards.
Defend Your Enterprise Network With Fortigate Next Generation Firewall
Defend Your Enterprise Network With Fortigate Next Generation Firewall
711
0 Kudos
RamoFlor
New Contributor
In response to makco10

Created on ‎03-03-2020 12:11 PM

Thank you Marcos for your answer, but it is not clear to me that I should consider, that the box has a more powerful CPU, then I should consider a high unemployment box (1000 to 3980)?
711
0 Kudos
rowan_kaag
New Contributor II

Created on ‎03-03-2020 08:09 AM

NP4 traffic shaping offloading

Accelerated Traffic shaping is supported by NP4 processors with the following limitations.

  • NP4 processors support policy-based traffic shaping. However, fast path traffic and traffic handled by the FortiGate CPU (slow path) are controlled separately, which means the policy setting on fast path does not consider the traffic on the slow path.

  • The port based traffic policing as defined by the inbandwidth and outbandwidth CLI commands is not supported.

  • DSCP configurations are supported.

  • Per-IP traffic shaping is supported.

  • QoS in general is not supported.

NP4Lite processors do not support traffic shaping for offloaded sessions.

You can also use the traffic shaping features of the FortiGate unit's main processing resources by disabling NP4 offloding. See Disabling NP offloading for firewall policies.

https://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-hardware-acceleration/NP4.htm

=======...

NP6 processors and traffic shaping

NP6-offloaded traffic supports traffic shaping just like any other traffic with one exception: configuring in bandwidth traffic shaping has no effect on NP6 accelerated traffic. In bandwidth traffic shaping sets the bandwidth limit for incoming traffic for an interface.

Out bandwidth traffic shaping is supported. Out bandwidth traffic shaping sets the bandwidth limit for outgoing traffic for an interface. You can use the following command to configure out bandwidth traffic shaping:

config system interface

edit port1

set outbandwidth 2000

end

https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-hardware-acceleration-52/NP6.htm

MSSP Security Engineer
MSSP Security Engineer
711
0 Kudos
RamoFlor
New Contributor
In response to rowan_kaag

Created on ‎03-03-2020 12:26 PM

Hi Rowan, very interesting your comment, was not aware of the characteristics of the processor.


I want to control the bandwidth of approximately two thousand users, understanding as a user a terminal equipment (CPE), which is not necessarily in a LAN, but in a routed segment and / or in a different geographical area. Each CPE could have an IP (/ 30) or more (/ 29, / 28, etc.), the traffic is approximately 1Gbps in the outgoing interface.

How could I know if a VM or a Chassis is better for me?
711
0 Kudos
rowan_kaag
New Contributor II
In response to RamoFlor

Created on ‎03-03-2020 01:43 PM

If you only want to shape outbound traffic without concession, go with a hardware box that has the NP6 processor. This will support any traffic shaping except for interface-based shaping (https://docs.fortinet.com/document/fortigate/6.0.0/hardware-acceleration/972559/np6-processors-and-t...).

If your proposed design is based on interface-based shaping, go with a VM because the shaping will be CPU-based and an NP-accelerated box has no direct added value
MSSP Security Engineer
MSSP Security Engineer
711
0 Kudos
RamoFlor
New Contributor
In response to rowan_kaag

Created on ‎03-03-2020 02:07 PM


My design is based on traffic shaping policy, create an Address, create Traffic Shapers, where I set different types of shared type speeds, since I want to limit each user (cpe) up and down speed. Then for each user create a traffic shaping policy.
711
0 Kudos
rowan_kaag
New Contributor II
In response to RamoFlor

Created on ‎03-03-2020 02:19 PM

Sounds as if an NP6-capable hardware box should fit your requirements.
MSSP Security Engineer
MSSP Security Engineer
711
0 Kudos
RamoFlor
New Contributor
In response to rowan_kaag

Created on ‎03-23-2020 07:02 AM

Thanks Rowan, I see that the 300E has an NP6 processor, there is some limitation or restriction regarding the number of profiles or policies of traffic shapping ? The team data sheet does not mention anything.
711
0 Kudos
rowan_kaag
New Contributor II
In response to RamoFlor

Created on ‎03-28-2020 07:16 AM

Please refer to the Maximum Values Table to see what limits are applied per model: https://docs.fortinet.com/max-value-table
MSSP Security Engineer
MSSP Security Engineer
711
0 Kudos
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.