FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes how to handle a situation where, after setting inbandwidth xx and outbandwidth xx with interface-based traffic shaping (egress-shaping-profile xxx) at FortiGate interface on the NP7 platform, FortiGate will block the traffic when the packet size is larger than 6000 bytes.
Scope
FortiGate v7.2.x.
Solution
In FortiGate, configure 'set inbandwidth xx' and 'set outbandwidth xx' with interface-based traffic shaping setting (set egress-shaping-profile xxx) at the FortiGate interface on the NP7 platform via a CLI command, as shown below.
config system interface
edit <interface’s name>
set inbandwidth 1950000
set outbandwidth 1950000
set egress-shaping-profile “testTrafficShapingProfile”
next
end
config firewall shaping-profile
edit "testTrafficShapingProfile"
set default-class-id 2
config shaping-entries
edit 1
set class-id 2
set priority top
set guaranteed-bandwidth-percentage 1
set maximum-bandwidth-percentage 100
next
end
next
end
Test to pass the traffic with many packet sizes until the packet size is larger than 6000 bytes. FortiGate will block the traffic with the packet size which is larger than 6000 bytes under that setting interface.
To fix:
For a workaround with a temporary fix: Unset the egress-shaping-profile under the interface with the following CLI command:
config system interface
edit <interface’s name>
unset egress-shaping-profile
next
end
For a permanent fix: upgrade the FortiGate firmware version to be v7.2.11, v7.4.8, v7.6.1 and above.
