Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vpalli
Staff & Editor
Staff & Editor

Created on ‎01-19-2025 11:31 PM Edited on ‎08-18-2025 01:32 AM By Community Manager

Article Id 371142

Technical Tip: End User traffic may be dropped on FortiGate when Traffic Shaping Policy is enabled on NP7lite devices

Description This article describes an issue where network or Internet access may be disrupted for the end user when a traffic shaping policy is enabled on NP7lite devices such as the FortiGate-90G/91G.
Scope FortiGate.
Solution

On v7.2.10 and earlier, v7.4.7 and earlier, and v7.6.2 and earlier, network or Internet access may be disrupted for end users even when traffic levels do not reach the maximum bandwidth limits of the shaper.

This issue occurs when a traffic shaping policy is applied to the session on NP7lite devices, such as the FortiGate-90G/91G.

 

Below is an example configuration of the traffic shaper and traffic shaping policy.

 

config firewall shaper per-ip-shaper
    edit "Internet 300Mbps Shaper"
        set max-bandwidth 300000
    next
end

 

config firewall shaper traffic-shaper
    edit "Internet 300Mbps Shaper"
        set maximum-bandwidth 300000
        set priority medium
    next
end

 

config firewall shaping-policy
    edit 1
        set name "Internet Shaper"
        set service "ALL"
        set srcintf "LAN"
        set dstintf "WAN"
        set per-ip-shaper "Internet 300Mbps Shaper"
        set srcaddr "all"
        set dstaddr "all"
    next
end

 

The NP7lite statistics may indicate an increase in the DCE_QTM_ENQ_DROP count when the shaping policy is enabled, regardless of whether a per-IP shaper or traffic shaper is referenced in the shaping policy.

 

FortiGate-90G # diagnose npu np7lite dce-eng-drop all
305 DCE_QTM_ENQ_DROP 637531 +

FortiGate-90G # diagnose npu np7lite dce-eng-drop all
305 DCE_QTM_ENQ_DROP 638217 +

 

Workaround:
Disable the shaping-policy with the command 'set status disable':

 

config firewall shaping-policy
    edit 1
        set status disable
    next
end

 

This issue has been resolved in v7.2.11, v7.4.8, v7.6.3.

 

General debug information required by FortiGate TAC for investigation:

  1. FortiGate Configuration File.
  2. Use the following command:

 

execute tac report

 

  1. NP7lite statistics:

 

diagnose npu np7lite hif-stats
diagnose npu np7lite dce-drop-all 0 verbose
diagnose npu np7lite pba 0
diagnose npu np7lite sse-stats 0
diagnose npu np7lite dsw-qtbl-stats 0 verbose
diagnose npu np7lite dce-eng-drop all
diagnose npu np7lite dce-dsw-drop all
diagnose npu np7lite dce-eng-stats ll
fnsysctl cat /proc/net/np7lite/qtm
fnsysctl cat /proc/net/np7lite/np7lite_0/hif-stats
fnsysctl cat /proc/net/np7lite/np7lite_0/hif-que
fnsysctl cat /proc/net/np7lite/tpe

 

Note:
Super Admin privilege is required to run the 'fnsysctl' command. Otherwise, FortiGate will return an error, as explained in this KB article: Troubleshooting Tip: fnsysctl command returns Unknown action 0 

The same behaviour is observed for the FortiGate-120G/121G models.
1232
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.