Created on 07-24-2009 04:40 AM Edited on 03-25-2022 10:34 AM By Anonymous
Description
This article describes the Traffic Shaping features that have been implemented in FortiOS 4.0
In FortiOS version 4.0, the traffic shaping has been enhanced. Diagnose commands allowing to verify each traffic shaper's usage and giving more configuration flexibility.
See also the related articles at the end of this page, the FortiGate Administration Guide , or the Traffic Shaping Technical Note 3.0MR6 for additional information about traffic shaping.
Scope
FortiOS 4.0 and above
Solution
1- Traffic shaping configuration is dissociated from the Firewall policies allowing multiple policies to use common configurations
2- Possibility to use independent configurations in policies for forward and reverse traffic directions
3- The P2P shaping capabilities are now defined at the application control level
4- Troubleshooting packet loss with statistics on traffic shaping configurations
5- Troubleshooting packet loss with the debug flow diagnose commands
6- Session list details with dual traffic shaper (forward and reverse traffic)
Configure traffic shaping from the CLI :
config firewall traffic-shaper
edit "limit_GB_25_MB_50_LQ"
set guaranteed-bandwidth 25 (*)
set maximum-bandwidth 50 (*)
set priority low
set per-policy enable (**)
next
end
config firewall policy
edit 1
set srcintf "port5"
set dstintf "port6"
set srcaddr "VM11"
set dstaddr "VM5"
set action accept
set schedule "always"
set service "ANY"
set traffic-shaper "limit_GB_25_MB_50_LQ"
next
end
FortiOS 4.0 enables you to have separate shapers for reverse traffic on a Firewall Policy.With FortiOS 3.0, the reverse traffic was shaped with the same shaper profile as the originating traffic.
To configure it using the CLI, enter the following commands
config firewall policy
edit 4
set srcintf "port2"
set dstintf "port6"
set srcaddr "VM3"
set dstaddr "VM6"
set action accept
set schedule "always"
set service "ANY"
set traffic-shaper "limit_GB_25_MB_50_LQ"
set traffic-shaper-reverse "limit_GB_12_MB_25_LQ"
next
end
In FortiOS version 3.0, the P2P traffic limits were defined at the protection profile level
To configure P2P shaping in FortiOS 4.0
To configure in the CLI, enter the following commands:
config application list
edit "My P2P application"
config entries
edit 1
set action pass
set application 9
set category 2
set shaper "My P2P shaper"
set shaper-reverse "My P2P shaper"
next
end
next
end
For each shaper there are counters that allow to verify if packets have been discarded.
To view this information, in the CLI, enter the command diagnose firewall shaper.
The results will look similar to the following output:
FGT# diagnose firewall shaper
name limit_GB_25_MB_50_LQ
maximum-bandwidth 50 KB/sec
guaranteed-bandwidth 25 KB/sec
current-bandwidth 51 KB/sec
priority 3
dropped 1291985
Note The diagnose command output is different if the shapers are configured either per-policy or shared between policies.
Below is an example where two polices are using the same shaper, as the shaper is per-policy, it maintains separate statistics entries:
When using the debug flow diagnostic command, there is a specific message information that a packet has exceed the shaper limits and therefor discarded:
FGT# diagnose debug flow show console enable
FGT# diagnose debug flow filter addr 10.143.0.5
FGT# diagnose debug flow trace start 1000
id=20085 trace_id=11 msg="vd-root received a packet(proto=17, 10.141.0.11:3735->10.143.0.5:5001) from port5."
id=20085 trace_id=11 msg="Find an existing session, id-0000eabc, original direction"
id=20085 trace_id=11 msg="exceeded shaper limit, drop"
When a Firewall Policy has a different traffic shaper for each direction, it is reflected in the session list output from the CLI :
diagnose sys session list
session info: proto=6 proto_state=02 expire=115 timeout=3600 flags=00000000 sock
flag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=Limit_25Mbps prio=1 guarantee 25600/sec max 204800/sec traffic 48/sec
reply-shaper=Limit_100Mbps prio=1 guarantee 102400/sec max 204800/sec traffic 0/sec
ha_id=0 hakey=44020
policy_dir=0 tunnel=/
state=may_dirty rem os rs
statistic(bytes/packets/allow_err): org=96/2/1 reply=0/0/0 tuples=2
orgin->sink: org pre->post, reply pre->post dev=2->3/3->2 gwy=10.160.0.1/0.0.0.0
hook=pre dir=org act=dnat 192.168.171.243:2538->192.168.182.110:80(10.160.0.1:80)
hook=post dir=reply act=snat 10.160.0.1:80->192.168.171.243:2538(192.168.182.110:80)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=2 auth_info=0 chk_client_info=0 vd=0 serial=00011e81 tos=ff/ff app=0 dd_type=0 dd_rule_id=0
Internal Notes
INTERNAL NOTE : This is the traffic shaping packet flow 3.0 and 4.0
Related Articles
Technical Note: Traffic shaping and outbandwidth parameter for Guaranteed and Max bandwidth
Technical Note : Differentiated Services Code Point (DSCP) processing through a FortiGate
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.