| Description |
This article describes how to implement interface-based traffic shaping (Qos) on FortiGate. |
| Scope | FortiGate v6.4, v7.0 andv7.2. |
| Solution |
QoS are usually implemented in 3 tiers: traffic/user classification, policy definition, and application of the policy. Each tier is important and QoS will not fully function if any of it is missing.
Use case: Interface-based traffic shaping can be useful in SD-WAN, as it can enforce the percentage of bandwidth on each SD-WANmember interface. To implement interface-based traffic shaping on FortiOS, 3 configuration steps are required:
1) Traffic classification with traffic shaping policy.
FortiOS provides option of configuring up to 30 groups (or classes, for traffic classification). These classes or groups are identified with IDs, ranging from 2 to 31. there is this option to configure class_ID name, for proper or easy identification. For this demonstration, 4 classes will be used: Class ID 10, 15, 20 and 30 to represent PC100, PC150 and PC200 and default respectively. IP address of PC100 is 10.10.10.100, PC150 is 10.10.10.150 and PC200 is 10.10.10.200. Class ID 30 will be used as default (traffics which did not fall into any of classes 10,15, or 20, goes to 30.
 
2) Traffic shaping profile to define our QoS policy property. Shaping profile defines what each class is actually allowed to use, like the maximum bandwidth, guaranteed bandwidth, and the priority value allocated or assigned to each class (is it low, medium or high). The max bandwidth and guarantee bandwidth is calculated based on the outbound bandwidth configured on your WAN interface (don’t forget to define this - it is very important). 20% of outbound bandwidth will be assigned to PC100, 30% to PC150 and 40% to PC200, the remaining 10% is for default class. This means if all the PCs(PC100, PC150 and PC200) are in need of Bandwidth to their full capacities, any other PC cannot or will not be allocated more than 10% of the total bandwidth available on the WAN interface. Note that the default class must be specified (indicated under shaping profile configuration).
3) Application of the configured shaping profile to the intended FortiGate interface. Apply the configured 'shaping profile' to each SD-WAN member interface (if SD-WAN is not used, the procedure is the same, apply the shaping profile to the WAN interface). In this demonstration, WAN1 (port1) is internet link with 10Mbps capacity and WAN2 (port2) with 5Mbps capacity
To test the configuration, traffic is initiated to the Internet from PC100, PC150, PC200, and one more PC (this will fall into default class). Below shows each address/PC matching the right class ID and intended bandwidth is allocated (or will be allocated if/when demanded).
# diagnose firewall iprope list 100015
# diagnose netlink interface list port1
With this command, it is possible to see allocated, guaranteed, and current usage for each class. If there are drops, the below will be visible:
- SD-WAN rule showed traffic is hitting the WAN links.
 |
