Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mauromarme
Staff
Staff

Created on ‎01-29-2024 10:08 PM Edited on ‎08-13-2024 03:22 AM By Community Manager

Article Id 296337

Technical Tip: Using Traffic Shaping with Class ID to Prioritize Traffic

Description

This article describes which technique can be used to prioritize traffic as stated in the example below:

  • 100MB Bandwidth Available on the WAN Interface.
  • There are 2 User Types: Agents and Management.
  • The main goal is to prioritize the Management user's traffic over the Agent's traffic.
  • Agents users can utilize all the available bandwidth only if Management users are not utilizing all of it.
  • Management users can utilize all the available bandwidth.
Scope Traffic Shaping, FortiOS, FortiGate, QoS.
Solution
  1. Create Traffic Shaping Profile.

Traffic Shaping Profile configuration includes creating Class IDs (Identifier that can be used to apply Traffic Shaping Policies) and assigning Guaranteed Bandwidth, Maximum Bandwidth, and Priority per Class ID.


In this example, 2 Class IDs need to be created, each of them would allow to identification of the traffic for Agents and Management users. 

 

Traffic Shaping ProfileTraffic Shaping Profile

 

The Class ID named CEO will identify Management Users' traffic, and the Class ID named Agent will identify Agent Users' Traffic.

Guaranteed traffic means that all the traffic tagged with this Class ID will always have that percentage of the total amount of Bandwidth available on the interface. 


Maximum Bandwidth means that all the traffic tagged with this Class ID can use that percentage of the total amount of Bandwidth configured on the interface.


The priority is how the traffic will be prioritized by FortiGate (Top, Critical, High, Medium, Low).

Class ID CEO Configurations:

Guaranteed Bandwidth: 99%.
Maximum Bandwidth: 100%.

Priority: Top.
Default

Class ID AGENT Configurations:
Guaranteed Bandwidth: 1%.
Maximum Bandwidth: 100%.
Priority: Low

 

  1. Create a Traffic Shaping Policy.

The Traffic Shaping Policy will determine the traffic that is going to be tagged with a Class ID.
It is necessary to configure, Source, Destination, Destination Interface, and Action. The action may be to Apply a Traffic Shaper or Assign a Shaping Class ID. In this case, the action will be to assign a Shaping Class ID.

 

Traffic Shaping Policies work similarly to the Firewall Policies and the traffic is matched from top to bottom.

 

Traffic Shaping Policy 1Traffic Shaping Policy 1

 

Traffic Shaping Policy 2Traffic Shaping Policy 2

 

The primary goal in this scenario is to prioritize traffic based on Class ID. To achieve this, Traffic Shaping Policies are essential as they enable the assignment of a Class ID to specific traffic. Since there are two distinct Class IDs, the creation of two Traffic Shaping Policies is necessary, each dedicated to assigning a unique Class ID.

 

  1. Configure Wan Interface

Following the setup of Traffic Shaping Policies and Traffic Shaping Profiles, the subsequent task involves configuring the WAN interface. It is essential to establish the Inbound Bandwidth and specify the Ingress Traffic Shaping Profile. Additionally, it is possible to configure the Egress Traffic Shaping Profile and set the Outbound Bandwidth, with the specifics contingent on the particular traffic flow.
For user downloads, the traffic would be 'Inbound Traffic' and for user uploads, the traffic would be 'Outbound Traffic'.

In this example, the configurations would apply for Inbound Traffic but the commands for Outbound Traffic can also be found below.
This can be done using CLI.

 

config system interface

edit "port1" <----- The WAN Interface.

set inbandwidth 100000 <- Specify the bandwidth for the interface in kbps. The percentage configured on the Class ID will be calculated based on this value.

set outbandwidth <- Specify the bandwidth for the interface in kbps. The percentage configured on the Class ID will be calculated based on this value.

set ingress-shaping-profile TEST <- Name of the Shaping Profile created in the First Step.

set egress-shaping-profile <- Name of the Shaping Profile created in the First Step.

 

With this configuration, traffic between Agent Users and Management Users will be prioritized.

It is possible to verify this by downloading a file on an Agent Machine. It will utilize all available bandwidth.

However, when a download is initiated on a Management User Machine, the download speed on the Agent Machine will decrease to 1%, while the Management User Machine will start utilizing all available bandwidth.

Agent Machine would start using all the BW again after the Download on Management User Machine has ended or if it is canceled. 

 

Note: 

If the shaping-profile mode needs to be changed from the default (policing) to queuing, this can only be done via the CLI, as in the example below:

 

config firewall shaping-profile

edit "TEST"

set type queuing    <- Policing by default.

next

end

 

If the type = 'queuing' and the Fortigate devices contain either NP6lite or NP6xlite chips, then ASIC offloading must be disabled on the appropriate firewall policy/policies (example below), otherwise the shaping-profile has no effect.

Since v6.4.4 policing mode is offloaded by default on NP6lite/NP6xlite devices.


config firewall policy

edit 1

set auto-asic-offload disable    <- Enabled by default.

next

end
3358
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.