Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
otsaggos
Staff
Staff

Created on ‎12-30-2022 04:37 AM Edited on ‎08-14-2025 07:48 AM By Community Manager

Article Id 241512

Troubleshooting Tip: Traffic shaping

Description

 

This article provides troubleshooting commands for possible traffic shaper issues.

 

Scope

 

FortiGate v6.0, v6.2, v6.4, v7.0, v7.2, v7.4, v7.6.

 

Solution

 

Check ethernet statistics:

To optimize traffic shaping performance, run the following command:

 

diagnose hardware deviceinfo nic <interface_name>

 

This command will provide information about Ethernet statistics for the network interfaces. It will show possible errors, collisions, or buffer overruns.

 

Check the traffic shaper information.

 

To see information about ToS lists and traffic, run the following command:

 

diagnose sys traffic-priority list

 

The output will show the priority value currently associated with each possible ToS bit value, which ranges from 0 to 15.

 

Check information about Shared and per-IP traffic shapers.

 

For shared policy:

Run the following command to check information about shared policy traffic, such as max, guaranteed, and current bandwidth, including priorities and packets, and bytes dropped.

 

diagnose firewall shaper traffic-shaper list

 

For per-IP policy:

Run the equivalent command for per-IP shared policy:

 

diagnose firewall shaper per-ip-shaper list

 

This provides information about shared policy traffic and max, guaranteed, and current bandwidth, including priorities and packet and byte dropped.

 

Additionally, to see traffic shaper statistics (combined) from CLI:

 

diagnose firewall shaper traffic-shaper stats    

 

Note:

Shared Shapers affect upload speed, but all users share the set bandwidth. For example, if a shared shaper of 100Mbps is set for YouTube, everyone uploading to YouTube shares that 100Mbps (to limit the download speed from YouTube, apply the shared shaper as a Reverse Shaper).

 

  • Bandwidth management of security policies.
  • Applies a total bandwidth to all traffic using the shaper.
  • The scope can be per policy or for all policies referencing the shaper.

 

Per-IP Shapers affect the speed of the nominated users (via IP). So if the entire network is set to a per-IP shaper of 1 Mbps, every user will be allocated 1 Mbps of bandwidth (assuming there is enough bandwidth on the outgoing link). Even if there is only one user on the network, it is only possible to use 1 Mbps. If there are ten users, each can use 1 Mbps for 10 Mbps.

 

  • Bandwidth management of user IP addresses.
  • Allows you to apply traffic shaping to all source IP addresses in the security policy.
  • Bandwidth is equally divided among the group.

 

Check that the traffic shaper is applied to the session:

 

diagnose sys session filter clear
diagnose sys session filter src <src_ip_address>
diagnose sys session filter dst <dst_ip_address>
diagnose sys session list

 

session info: proto=6 proto_state=01 duration=894 expire=3598 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=shared-1M-pipe prio=2 guarantee 0Bps max 128000Bps traffic 115649Bps drops 7117B
reply-shaper=shared-1M-pipe prio=2 guarantee 0Bps max 128000Bps traffic 115649Bps drops 1634780B
per_ip_shaper=
class_id=0 shaping_policy_id=1 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty os rs f00
statistic(bytes/packets/allow_err): org=469557/7050/1 reply=29487578/19923/1 tuples=2
tx speed(Bps/kbps): 514/4 rx speed(Bps/kbps): 32473/259
orgin->sink: org pre->post, reply pre->post dev=4->3/3->4 gwy=10.5.31.254/10.164.15.78
hook=post dir=org act=snat 10.1.1.1:58917->2.21.34.66:80(10.1.1.1:58917)
hook=pre dir=reply act=dnat 2.21.34.66:80->10.1.1.1:58917(10.1.1.1:58917)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 pol_uuid_idx=14726 auth_info=0 chk_client_info=0 vd=0
serial=1a0e7c37 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000100
no_ofld_reason: npu-flag-off
total session 4


Check if specific traffic is attached to the correct traffic shaper:

 

diagnose firewall iprope list 100015

policy index=1 uuid_idx=0 action=accept
flag (0):
shapers: orig=shared-1M-pipe(2/0/128000) reply=shared-1M-pipe(2/0/128000)
cos_fwd=0 cos_rev=0
group=00100015 av=00000000 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0
zone(1): 4 -> zone(1): 3
source(1): 10.1.1.1-10.1.1.1, uuid_idx=14738,
dest(1): 0.0.0.0-255.255.255.255, uuid_idx=14716,
service(1):
[0:0x0:0/(0,65535)->(0,65535)] flags:0 helper:auto


It is possible to check the bandwidth for the related shaper by adding a FortiView Traffic Shaping widget in: Dashboard -> Add Widget -> FortiView Traffic Shaping.

 

Fortiview Traffic Shaping (2).PNG


Related documents:
Shared traffic shaper

Traffic shaping Admin Guide 

Labels:
13472
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.