Problem:

When enabling traffic shaping on a FortiGate device (NP7 model), network access is lost/slow/drop

Symptoms:

1. The issue only happens when enabling traffic shaping: traffic is normal again after disabling traffic shaping
2. The anomaly outputs are seen in the following commands:

... FGT # diagnose npu np7 dce-drop-all
<EIF drop counters>
...
[NP7_0]
Counter EIF_0 EIF_1 EIF_2 EIF_3 EIF_4 EIF_5 EIF_6 EIF_7 Total
------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- 
[4]ipv4_plen 1 1 2 1 0 0 0 0 5
[27]tcp_csum 465 504 478 462 513 546 515 513 3996
[32]udp_csum 218 228 225 249 327 317 292 320 2176
[35]udp_plen 16 13 20 17 0 0 0 0 66
[38]icmp_csum 144 153 149 119 159 141 159 161 1185
[48]vxlan_minlen 4 6 2 2 5 9 3 9 40
[51]tcp_hlenvsl4l2n 0 0 0 0 0 1 0 1 2
------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- 
Total_drop : 7470
...

FGT # diag npu np7 dsw-ingress-stats 0 verbose
[NP7_0]
Ing_mod Cmt_idx Disp_idx Commit Dispatch Delta Stuck?
QTM       414 445 1554255848   1554255820   28      Yes
...

FGT # diag npu np7 getreg 0 qtm.qtm_dbg
sch0_enq_drop_cnt = 0012d3f2 (000606a0) <RO>
...'

Solution 1.

1. Before proceeding, make sure to back up the configuration.
2. Access the FortiGate CLI.
3. Enter the following commands:

config system npu

    set default-qos-type policing 
end

4. Reboot the device for the changes to take effect.

Note:

Running the above command will trigger a request for permission to apply changes. Choosing 'yes' for the changes to be applied triggers a reboot on the device. If the FortiGate is part of an HA, all FortiGate HA cluster members will reboot at the same time.

It is recommended to schedule downtime to apply these changes. When modifying the default QoS type to policing, it leverages the TPE (Traffic Policy Engine) module. This means a restart of the FortiGate device is mandatory.

Solution 2.

Upgrade to v7.4.8/v7.6.1 or above. The shaping option has been removed from the regular interface shaping. 'Policing' is automatically selected. It can be checked by using the command 'get system npu | grep default-qos-type' as shown below:

The 'set default-qos-type policing' command, when used within the FortiGate device's CLI, pertains to the way Quality of Service (QoS) is handled in the context of traffic management.

Command breakdown:

• default-qos-type: This refers to the default method or mechanism by which Quality of Service (QoS) is applied to network traffic on the device.

• policing: This is a specific type of QoS management. When policing traffic, a strict limit is set on the rate of traffic. Any traffic that exceeds this limit can be either dropped or remarked (changing the QoS value) so it might get dropped later in the network.

Below is a more detailed explanation of policing:

Policing:

Policing is a traffic management approach where traffic rates are monitored, and actions are taken on packets once they exceed the configured rate limits. The typical actions include:

1. Dropping: Excess packets can be dropped immediately once they exceed the defined rate.
2. Remark: Instead of dropping, excess packets can have their QoS values changed (for example, their Differentiated Services Code Point, or DSCP, values). This might result in them getting lower priority treatment elsewhere in the network.

Using policing effectively creates a 'hard ceiling' for traffic, ensuring that it does not exceed specified limits. However, one downside is that the immediate dropping of packets can lead to increased retransmissions and reduced application performance, depending on the nature of the traffic.

In the context of the FortiGate command provided (set default-qos-type policing), this would mean that the default behavior for handling QoS on the device would be to use the policing mechanism. It will be especially relevant when the device is set up for traffic shaping, as it dictates how exceeding traffic would be treated. 

Note:

QTM was introduced from the NP7 model. NP6/NP6lite/NP6xlite uses the TPE module for traffic shaping/shaping profile/class-id.

Related article:

Technical Tip: Important Changes to Traffic Shaping on FortiGate with NP7 Queuing-Based Traffic Mana...