FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article outlines the important changes to the Traffic Shaping implementation on FortiGate with NP7 Queuing-Based Traffic Management (QTM) Module.
Scope
FortiGate.
Solution
Starting from v7.4.8 and v7.6.1.
The QTM module on NP7 will not be used for policy shaping, per-ip shaping, and regular interface shaping i.e. configuring 'set outbandwidth' settings on an interface without a shaping profile. Instead, a Traffic Policing Engine (TPE) will be used.
The following configuration will not support an option to configure queuing-based shaping.
config system npu set default-qos-type {policing | shaping} <----- From previous firmware. set default-qos-type {policing} <----- On new firmware, shaping option is removed. end
Despite the default QoS type always set to policing, the QTM module on NP7 will still be utilized when a shaping profile is configured on the interfaces. These interfaces may include physical interfaces, IPSec interfaces, LAG interfaces, or VLAN interfaces over physical or LAG types.
config system interface edit <interface> .... set egress-shaping-profile "Day_Hours_Profile" set outbandwidth 10000 .... next end
Note that a maximum of 672 shaping profiles can be active at any given time on any NP7 platform FortiGate device. This limit also applies to the child tunnels of a Dialup IPsec tunnel when a shaping profile is applied to the Dial-Up Tunnel Interface.
When configuring a shaping profile, the interface MTU cannot exceed 6000 bytes. If the interface MTU is greater than 6000 bytes, the interface will not accept a shaping profile.
The changes described above have been implemented in FortiOS versions 7.2.11, 7.4.8, and 7.6.1.
