Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
martinsd
Staff
Staff

Created on ‎07-11-2024 11:01 PM Edited on ‎07-17-2024 08:09 AM By Moderator

Article Id 325404

Technical Tip: NPx Traffic Shaper, different Behaviors

Description This article describes the Traffic Shaping behavior in different platforms
Scope FortiGate.
Solution

NP6/NP6Lite/NP6xLite:

The TPE Shaper implemented in NP6, NP6Lite, and NP6xLite ASICs functions primarily as a police rather than a traditional shaper. It operates effectively when packets are transmitted at a consistent rate. The TPE Shaper assesses the traffic against a predefined quota for each interval. It allows a certain amount of traffic to pass within each interval and drops any excess once the quota is met.

 

Example Scenario:

  • Traffic Pattern: A device transmits at 200Mbps for the first 0.5 seconds and then remains idle for the next 0.5 seconds.
  • Expected Outcome: Despite the average speed being 100Mbps, the TPE Shaper only allows 25Mbps in the first 0.5 seconds.
    Since no traffic is sent in the second 0.5 seconds but the FortiGate expects 25MBps, the total output remains 25Mbps.
  • Explanation: Given the interval the tester used to control BW and the interval used by the hardware shaper are different, it is hard to estimate. Because of some packet drops by the shaper, it will cause TCP retransmission, so the original traffic and retransmissions are handled by the hardware shaper and the effective throughput is slowed down.

 

NP7/NP7Lite:

NP7 and NP7Lite ASICs offer two shaping mechanisms:

  • Traffic Policy Engine (TPE) Shaper (Policer). Same behavior as NP6/NP6Lite/NP6xLite.

  • Queuing-based Traffic Management (QTM) Shaper.

 

Users can configure the desired traffic management method using:

 

config system npu

    set default-qos-type [policing|shaping]

end

 

Shaper and Policer Use Cases:

 

Case1: Iperf3 No Limit and no Shaper

Purpose: Establishes a baseline for the line and FortiGate's handling capacity, showing performance over 10Mbps.

 

1.jpg

 

Case 2: Iperf3 No Limit. 10M Upload/Download Traffic Shaping Policy (QTM Shaper).

Observation: Demonstrates QTM shaper behavior with packet drops due to buffer overflow.

 

2.jpg

 

3.jpg

 

 

Case 3: Iperf3 11M Limit. 10M Upload/Download Traffic Shaping Policy (QTM Shaper).

Observation: Shows reduced packet drops (193 drops) compared to Case 2 (4758 drops) with the QTM shaper.

 

4.jpg

 

5.jpg

 

Case 4: Iperf3 No Limit. 10M Upload/Download Traffic Shaping Policy (TPE Shaper).

Observation: As a policer, the TPE shaper drops packets exceeding the policy limits. Packet drops will trigger TCP congestion control. Host TCP stack will lower the flow to half of the original throughput or lower.

 

6.jpg

 

7.jpg

 

Case 5: Iperf3 11M Limit. 10M Upload/Download Traffic Shaping Policy (TPE Shaper).

Observation: Demonstrates fewer packet drops (1166 drops) compared to Case 4 (1884 drops) using the TPE shaper under a policer configuration.

 

8.jpg

 

9.jpg

 

Case 6: Iperf3 No Limit - 10M Upload/Download Traffic Shaping Policy - No NP Offloading (Kernel Shaper)

Observation: Shows the Kernel Shaper's performance with no drops at the NPU level, indicating no NP offloading.

 

10.jpg

 

11.jpg

 

1461
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.