Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
freshwater
New Contributor

Created on ‎09-04-2023 12:57 AM

Fortigate traffic shaping for specific traffic

Dear community,

 

We run several sites with 200F and 40-60F firewalls.

From some sites we need now to backup huge amount of data over IPSec Tunnels, which will run over several days

We know the bandwith at every site, and the only policy we want is a "low priorization" policy, so that the firewall policy for backup purposes is taking the full bandwith, if nothing else consumes it, but if ANY other traffic except this backup traffic firewall policy wanna consume traffic, it should get the traffic.
How is this going to be realized in Fortigates?
In other firewalls we simply set the bandwith at the interface, and just create a traffic shaping policy on that backup traffic, and set it to "guaranteed bandwith 10%, maximum bandwith 95%", so it just takes the bandwith if nothing else consumes it.
At Fortigate, the concept seems to be different, or not?

 

Thanks for your help

Labels:
1870
0 Kudos
8 REPLIES 8
ebilcari
Staff
Staff

Created on ‎09-04-2023 07:49 AM

I think the concept is the same. If there isn't a guaranteed bandwidth allocation for other types of traffic, the 95% maximum value you've set will continue to consume all available bandwidth and potentially compete with and starve normal traffic, especially if there isn't a minimum guaranteed value configured for that normal traffic.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
1846
freshwater
New Contributor

Created on ‎09-06-2023 10:45 PM

The problem is, we have quite a lot of firewall rules on that firewall, and I don't want to flag 60-80 firewall-rules with bandwith policy, or wanna have this one backup data firewall policy with "lower priority" than regular traffic, without and bandwith policy.

I simply want regular traffic not being regulated down by backup traffic.

Or in simply words of Donald Trump:

Normal traffic first

Backup traffic second

 

Is there a way to configure that, without touch all the other firewall rules?

1821
0 Kudos
ebilcari
Staff
Staff
In response to freshwater

Created on ‎09-07-2023 05:39 AM

I think yes, just create two policies under Traffic Shaping Policies. The first Policy to set the guaranteed traffic for the "all" (except the backup) and another rule for the backup if you want to setup a limitation or a minimum guaranteed bandwidth to avoid starvation. 

shapers.png

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
1802
freshwater
New Contributor
In response to ebilcari

Created on ‎09-07-2023 05:53 AM

I tried now out a few things, and got it work, let me just explain, if I understood right:
If I really wanna classify different traffic classes, with a "leftover class", which means, every other traffic, except the ones defined, first I need to make a Traffic shaping profile. Within the Profile, I define the different traffic classes (which I can define for the traffic in the policies later).

That I got to work so far.

The only thing, which was weird to me, is, that at the WAN interface, i can define beside the shaping profile itself just a outbound bandwith, which seems just to handle the maximum upload traffic to the internet.

To be able to get the shaping affecting the download traffic as well, I had to select the same profile at the LAN interface also with a outbound bandwith, which means download traffic, it seems like.

The only thing I wonder now: For internet it works perfectly. But what for example, if I have traffic between a DMZ interface and LAN interface. Then, if my understanding is correct, even if I don't have a shaping policy applied to this DMZ>LAN traffic, and because of the necessity to define a profile with outbound bandwith at LAN interface as well, to shape download direction, it will then also shape the DMZ>LAN download traffic, because of the default traffic class ID...?
Or is my understanding wrong?

I would have expected more a both direction bandwith definition at each interface, instead of one direction....

1796
0 Kudos
ebilcari
Staff
Staff
In response to freshwater

Created on ‎09-08-2023 08:08 AM

To apply the policy in both directions use the "Reverse shaper" option and select the same shaper.

Keep in mind that what you really control is the traffic going in the uplink direction so you can save the link saturation. In the downlink directions you just drop excessive traffic hopping that the sender will get the message (too many drops) and slow down the sending and save the link saturation.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
1769
freshwater
New Contributor
In response to ebilcari

Created on ‎09-08-2023 10:00 AM

Sorry, but I don't get the two different kind of traffic shaping concepts here at Forti.

I would like to work with the traffic shaping profile, because it allows to define a default traffic shaping for all non-classified traffic, and I can classify the traffic just fine. But it seems like, on the WAN interface, it just applies to the "upload" direction.

When I use then a traffic shaping policy, I select JUST "Assign shaping class ID", and not "Apply shaper", because in my opinion, with the class ID it works just fine already. What is the sense to apply additionally a shaper, when I defined already the percentage options in the profile?

To define the used case again, I wanna define 3-4 classes of traffic like

- Voice (10% guar./30% max, Prio Top)
- VDI (80% guar./98% max, Prio Critical)
- Backup (10% guar./98% max, Prio Low)

- Default Traffic (set as Default, for all non-classified traffic: 10% guar./98% max Prio High)

 

and then I wanna define for some kind of traffic simply the according policies, just select the shaping profile, BUT wanna have that work in both directions.
Why do I need additionally trafic shapers, with fixed guar/max bandwith, additionally to this shaping profile, if shaping profile by itself works perfectly, just not in the other direction (until I activate on LAN interface, which most likely slows down also DMZ>LAN download traffic, I guess, or not...)?

 

1762
0 Kudos
freshwater
New Contributor
In response to freshwater

Created on ‎09-12-2023 10:32 PM

I found now a document, which allows also inbound traffic shaping profiling.

Is that the only way to configure inbound traffic shaping? Why they don't offer that over the GUI - it's very hard to get on the first sight to know, if inbound is running, and at which bandwith.

Or can you explain me the reason for that?

 

https://docs.fortinet.com/document/fortiproxy/7.2.0/administration-guide/822401/ingress-traffic-shap...

1643
0 Kudos
ebilcari
Staff
Staff
In response to freshwater

Created on ‎09-13-2023 06:14 AM

I guess FortiProxy will have a different logic than FGT, I can't tell. I have only played with this two options, haven't tried the shaping profiles and the behavior.

shapers3.PNG

But as I said shaping in download is not very efficient for private traffic that you can easily shape using the upload limit from the other side.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
1629
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.