| Description | This article describes how to create a Traffic Shaping profile for egress traffic. It is possible to allocate and reserve bandwidth based on the total out bandwidth. This can be accomplished using a Traffic Shaping profile. |
| Scope | FortiGate. |
| Solution |
A Traffic Shaping profile limits and caps traffic into classes based on the definition. Additionally, Traffic Shaping requires guaranteed and maximum bandwidth limits. Guaranteed bandwidth is reserved bandwidth for traffic. Maximum bandwidth is the limit for bandwidth that can be used.
In this scenario, three classes will be allocated (testing each class individually): 50% for LAN traffic, 30% for VOIP traffic, and 20% for Guest Traffic for a total equaling (50+30+20) 100% bandwidth shaping. For the total out bandwidth,it will be tested with 500 Mbps.
For guaranteed bandwidth, 250 Mbps bandwidth is available for the traffic policy.
For maximum Bandwidth, the bandwidth is capped at a maximum of 250 Mbps.
To create a Traffic Shaping class, define a Traffic Shaping class ID, maximum bandwidth, guaranteed bandwidth, and priority.
Note: Maximum Bandwidth configuration is necessary for guaranteed bandwidth to work as expected. If Maximum Bandwidth is not configured, Guaranteed Bandwidth traffic prioritization will not take the priority.
Go to Policy & Objects -> Traffic Shaping -> Traffic Shaping Profiles.
After configuring our three classes, the shaping profile is now ready to be used for the traffic shaping policy.
The Traffic Shaping policy will look for matching criteria in the policy's source and destination IP, service, application, and URL category. Only one traffic profile can be selected per policy. the policy will be demonstrated by applying the LAN 50 class first, then the VOIP 30 class, and finally the Guest 20 class. For example, the LAN 50 class has been configured to guarantee us 50% of the total out bandwidth and a maximum of up to 50% of the total out bandwidth. In this case, 50% of 500 Mbps is 250 Mbps.
Go to Policy & Objects -> Traffic Shaping -> Traffic Shaping Policies.
It is then necessary to enable the traffic shaper on the interface. This Traffic Shaping has been enabled on the LAN (port3) interface. The outbound shaping profile is the profile created with the three classes. The outbound bandwidth is the cap on the egress bandwidth. 512,000 Kbps is equivalent to 500 Mbps.
Go to Network -> Interface (port3) -> Traffic shaping
Issuing a speed test using the LAN 50 Traffic shaping class resulted in ~253 Mbps download speed (50% of 500 is 250).
Using the VOIP 30 Traffic shaping class resulted in a ~144 Mbps (30% of 500 is 150).
Finally using the Guest 20 resulted in a ~104 Mbps (20% of 500 is 100).
Note: If the shaping-profile mode needs to be changed from the default (policing) to queuing, this can only be done via the CLI, as shown below:
config firewall shaping-profile edit "LAN-Shaper-Prof" set type queuing <- Policing by default. next end
If the type = 'queuing' and the Fortigate devices contain either NP6lite or NP6xlite chips, then ASIC offloading must be disabled on the appropriate firewall policy/policies (example below), otherwise the shaping-profile has no effect. Since v6.4.4 policing mode is offloaded by default on NP6lite / NP6xlite devices.
config firewall policy edit 1 set auto-asic-offload disable <- Enable by default. next end |
