Description
This article describes how to limit bandwidth at the interface level.
Solution
The traffic received on an interfaces can exceed the maximum bandwidth limit defined in the security policy.
It will therefore waste processing power on packets that will get dropped later in the process. Configure the FortiGate to preemptively drop excess packets when received at the source interface.
A similar command is available to the outgoing interface.
To configure an interface bandwidth limit from the GUI:
- Go to Network -> Interfaces.
- Edit port1.
- In the Traffic Shaping section set the following options:
- Enable Inbound Bandwidth and enter 200. The default bandwidth unit is kbps.
- Enable Outbound Bandwidth and enter 400.The default bandwidth unit is kbps.
- Select 'OK'.
To configure an interface bandwidth limit from the CLI:
config system interface
edit "port1"
.....
set inbandwidth 200
set outbandwidth 400
.....
next
end
NP6 and NP6xlite interfaces on FortiGate devices do not fully support bandwidth limits.
When setting the outbandwidth setting on an NP6 or NP6xlite interface, the FortiGate implements a lower bandwidth limit than the one that was configured.
The inbandwidth setting has no effect on an NP6 or NP6xlite interface unless NP offloading is disabled for the traffic on that interface.
Set auto-asic-offload disable in a dedicated firewall policy for inbandwidth setting to take effect.
Interface-based traffic shaping with NP acceleration is supported on some devices. This feature is supported on FortiGate 600E, 500E, 400E, and 300E models.
VLAN interfaces are not supported as well.
config firewall policy
edit <Policy-ID>
set auto-asic-offload disable
end
Related articles:
