|
If egress traffic shaping (QoS) is implemented, and the type of shaping profile opted for is queuing, note that NPU offload is not supported in queuing traffic shaping.
config firewall shaping-profile
edit "LAB"
set type queuing <-- queuing traffic shaping.
set default-class-id 10
config shaping-entries
edit 1
set class-id 10
set guaranteed-bandwidth-percentage 50
set maximum-bandwidth-percentage 100
next
end
next
end
If this shaping profile is applied to the below VPN tunnel interface for example (with NPU offload enabled on both phase1 and the FortiWeb policy), it will not shape to the defined out bandwidth of 1.2Mbps, instead, it will consume the whole available bandwidth on the underlay interface or link, which is technically the maximum available bandwidth to the VPN tunnel.
config system interface
edit "name"
set vdom "root"
set type tunnel
set outbandwidth 10000 <<<<<<
set egress-shaping-profile "LAB" <<<<<
set interface "wan"
next
end
To make the egress shaping work, NPU offload has to be disabled on both phase1 and FortiWeb policy.
config vpn ipsec phase1-interface
edit "name"
set npu-offload disable <-- enable by default.
end
config firewall policy
edit xx
set auto-asic-offload disable <-- enable by default.
end
|
