| Solution |
FortiOS provides sophisticated Quality of Service (QoS) features, based on traffic prioritization and shaping with policing and queuing. One approach is to apply a shaping profile directly to an outgoing interface, which is known as Interface-based traffic shaping profile. Its successful implementation depends on a combination of factors, including:
- The FortiGate platform and available hardware acceleration (NP6, NP6Lite, NP6XLite, NP7, NP7Lite);
- The outgoing interface type (e.g. physical, aggregate, VLAN, Zone);
- Other features on top of traffic shaping (security profiles, NetFlow and device detection, to name a few).
FortiOS is capable of handling the involved complexities and, if necessary, to automatically disable hardware acceleration when not supported. However, in some corner situations, FortiOS might not correctly enforce a properly configured interface-based traffic shaping. If so, the visible symptoms are:
- Bandwidth limitations are not respected (e.g. excessive traffic is not dropped);
- The output from CLI command 'diagnose netlink interface list <INTERFACE>' shows that the following egress traffic control counters have incorrect values or do not increase:
- current-bandwidth
- forwarded_bytes
- dropped_packets
- dropped_bytes
In such situations, the solution is to explicitly disable hardware acceleration in the matching firewall policy, as shown below:
config firewall policy
edit <ID>
...
set auto-asic-offload disable
next
end
After configuring the matching firewall policy as above, the interface-based traffic shaping profile should work as expected. Moreover, the statistics shown by the following command should be correct:
diagnose netlink interface list <INTERFACE>
Related documents:
FortiOS 7.6.5 Administration Guide - Traffic shaping
FortiOS 7.6.5 Hardware Acceleration - NP6 processors and traffic shaping
FortiOS 7.6.5 Hardware Acceleration - NP7 and NP7Lite (SOC5) traffic shaping
Technical Tip: FortiGate Disable Hardware Acceleration
|
