FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Istvan_Takacs_FTNT
Description
In some cases when only limited external bandwidth is available, customer needs to  apply traffic shaping and priority to make sure critical applications or subnets receive more resources than non-critical ones.
 

Solution
The following use case was created to test the configuration of 2 different traffic shaping policies on a Fortigate firewall. The wan interface was limited to only 1 Mb while both physical LAN interfaces were left on the default available on the Fortigate.

The policies were tested with simultaneous FTP file downloads that has the potential to fully utilise the available bandwidth.

SNMP server was used to monitor the link utilisation of all the 3 interfaces at the same time and graph the result.

diagram.png

The Fortigate has the following configuration (showing only the relevant part).

 config system interface
    edit "wan1"
        set ip 10.1.1.1 255.255.255.0
        set type physical
        set inbandwidth 1024
        set outbandwidth 1024
    next
    edit "internal1"
        set ip 20.1.1.1 255.255.255.0
        set allowaccess https ssh snmp
        set type physical
    next
    edit "internal5"
        set ip 30.1.1.1 255.255.255.0
        set allowaccess ping
        set type physical
    next
end
 
config firewall shaper traffic-shaper
    edit "client-guarantee-800kbps-high"
        set guaranteed-bandwidth 800
        set maximum-bandwidth 1024
        set per-policy enable
    next
    edit "crew-guarantee-400-medium"
        set guaranteed-bandwidth 200
        set maximum-bandwidth 1024
        set priority medium
    next
end

config firewall policy
    edit 1
        set srcintf "internal1"
        set dstintf "wan1"
        set srcaddr "client-10.1.1.0/24"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "FTP_GET"
        set logtraffic all
        set traffic-shaper "client-guarantee-800kbps-high"
        set nat enable
    next
    edit 2
        set srcintf "internal5"
        set dstintf "wan1"
        set srcaddr "crew-20.2.2.0/24"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set traffic-shaper "crew-guarantee-400-medium"
        set nat enable
    next
end

The following chart displays the utilization of the WAN link during the upload/download test. The link was fully utilised all the time, regardless of which internal link was used or the direction of the traffic.

 WAN.jpg

The next charts display the link utilisation via both LAN ports internal1 (client) and internal5 (crew) while the FTP downloads were running either simultaneously on both LAN networks or was stopped on the different subnets.

 LAN.jpg

The following events took place on the 2 links that are marked with the text boxes.

1. Started the FTP download on both of the links and the traffic-shaping policies kicked in. The download was started first by a few minutes on the client link, the default priority 0 (High) was assigned to the traffic and the download could use the full 1 Mb link speed.

When the download started on the crew link, both of them automatically were shaped to the configured value.

2. Downloading was stopped on the crew network and again the client network could use the 1 Mb external bandwidth until the download was restarted again.

The high-priority sessions were already running on the client-link, and as the result they took priority over the crew download and that subnet could only use the guaranteed limit (200 kbps).

3. FTP was stopped on the client link. The crew could access more bandwidth as only casual web browsing, etc. was happening on the client link. 

The crew could push the link usage up to 500 kbps until the FTP session was restarted again.

4. When the FTP session was restarted on the client link, the shaping policy kicked in again to allocate the guaranteed 800 kps limit to the requests.

The rest of the requests on the medium-priority crew link was shaped back.

5. Download finished on the high-priority client-link and the download on the medium-priorty link could have more bandwidth again.


The article shows how the Fortigate firewall dynamically allocates the available bandwidth, based on the traffic shaping and priority configuration and network utilisation.

Supporting documentation

For more information on Traffic Shaping and priority configuration, refer to the following documents on the Fortinet Document Library web site:

- FortiOS 5.0 or 5.2 Handbook.

- FortiOS Traffic Shaping guide.


Contributors