If egress traffic shaping (QoS) is implemented, and the type of shaping profile opted for is queuing, note that NPU offload is not supported in queuing traffic shaping.

config firewall shaping-profile

    edit "LAB"

        set type queuing   <--  queuing traffic shaping.

        set default-class-id 10

            config shaping-entries

                edit 1

                    set class-id 10

                    set guaranteed-bandwidth-percentage 50

                    set maximum-bandwidth-percentage 100

                next

            end

    next

end

If this shaping profile is applied to the below VPN tunnel interface for example (with NPU offload enabled on both phase1 and the FortiWeb policy), it will not shape to the defined out bandwidth of 1.2Mbps, instead, it will consume the whole available bandwidth on the underlay interface or link, which is technically the maximum available bandwidth to the VPN tunnel.

config system interface

    edit "name"

        set vdom "root"

        set type tunnel

        set outbandwidth 10000   <<<<<<

        set egress-shaping-profile "LAB"  <<<<<

        set interface "wan"

    next

end

To make the egress shaping work, NPU offload has to be disabled on both phase1 and FortiWeb policy.

config vpn ipsec phase1-interface

    edit "name"

        set npu-offload disable  <-- enable by default.

end

config firewall policy

    edit xx

        set auto-asic-offload disable   <-- enable by default.

end

To show the queuing type shaping-profile, use the following commands:

diagnose netlink intf-qdisc list <intf_name>
diagnose netlink intf-class list <intf_name>

Related article:

Technical Tip: NPU Offloading and Traffic Shaping Statistics