Hello,
i have a 4m/0.9m adsl connection and want to prioritize inbound traffic. So to test that, i'm using an example with http and ftp. When i'm downloading from ftp at full speed, http must be higher priority to not suffer from ftp inbound. In a very simple steps, i have created 4 shapers :
"Down Low" : FTP 0.1Mb guaranted and 3.9Mb max Low prio
"Down High" : HTTP 3.8Mb guaranted and 3.9Mb max High prio
"Up Low" : FTP 0.1Mb / 0.7Mb Low
"Up High" : HTTP 0.6Mb / 0.7Mb High
Wan1 interface set inbound 3900Kb/outbound 700Kb
2 policies: internal -> wan1, FTP shaper "Up Low"/ Reverse "Down Low". HTTP shaper "Up High" / "Down High"
Upload is working very well, when FTP is at 0.7Mb, sending http will drop FTP to 0.1Mb. But downloading is not working. I have tested all the possibilites of guaranted traffic, DSCP, TOS, using same shaper with low priority, application control, nothing. FTP and HTTP downloading is approx the same rate 50% of inbound. I have also tested with no max and with no guaranted, not better. I can limit max bandwitdh to ftp, it's working but it is not i'm searching, i want FTP downloading to use max when other traffic is idle and being low when http traffic is used.
I have used too many times on this problem and support have no solution. So is the fortigate is really capable of limiting inbound traffic like i want ?
Thanks :o)
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
From the description of the problem, it sounds as if one or both polices are not being hit. Are there other firewall policies configured on the fgt that are above your two test polices?
Unless bandwidth allocation has changed since the 4.3 days, I would be a bit caution with setting/reserving any "guaranteed" bandwidth on a service or policy -- it pretty much telling the fgt to set aside this much bandwidth for this service/policy, meaning it will not be available for anything else; at least that is my understanding.
True traffic shaping requires setting up max bandwidth on the WAN port (which you have done) and apply traffic shaping to all the firewall policies, including setting low, med, high priorities. (Traffic shaping defaults to using per policy as appose to "All Policies Using This Shaper", which people need to be aware of.)
FTP uses port 21 for control/command and port 20 for data transfer (and not sure of what other ports are in use); make sure your ftp policy cover those other ports too.
Perhaps try tracing the traffic to see which policies are being hit, something along the lines of...
diag debug reset diag debug flow filter saddr <source IP address> diag debug flow show console enable diag debug flow trace start 1000 diag debug en
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Policies are matched and this problem is still the same on 4.3 and 5.0. FTP download is using "Download Low" and HTTP download "Download High". Logically, le fgt must drop FTP packets to guaranty HTTP 400KB/sec but not. The same schema is working perfectly with HTTP "Upload High"and FTP "Upload Low".
(I have tested this situation with various firewall/routers like pfsense or tomato firmware just to see, it works like a charm...)
Hello,
i'm back with my Traffic Shaping problem. I have tested more things and my final word is the download QoS on Fortigate OS DOESN'T work if you want to just prioritize ingress traffic with no limit. For sure, it's not complicated, i wanted to prioritize http from ftp or others like p2p...
FWIW
You can never TS inbound. TS is design to adjust and queue traffic OUTBOUND. Always been that way.
TS = outbound ( tries to allow all traffic by the use of buffer and queuing bad for higher latency applications like realtime voice )
TP = in or outbound ( but drop traffic when you exceed the limits that are set )
PCNSE
NSE
StrongSwan
I know this is not a normal working set i want. But in pfsense for example, it's working very well with one method, shaping LAN outbound. The fortigate cannot do that because we must configure it in reverse shaping of the wan rule. Another example is Tomato firmware or dd-wrt/openwrt, it's working very well on inbound traffic. So i think FG cannot do that after many tests.
Your are very mistaken, you can't TS inbound your can TP ( traffic police ) . TS is for managing outbound traffic for network edge and setting traffic prioritization within the buffer ( output queue ) where congestion might occur. Great for managing QoS requirements.
Think about ,
you can't effectively limit traffic flooding your "inbound" on a interface with a TS. It's already present ;)
But
You can easily control what traffic is sent by you and with set priorities and with rate or limits or guarantees
What did you configure in your firewall TS/TP profiles?
Fortigate has a very well maintain TS-guideline that you should find on the kb.docs and read. It explains the pro/neg and limitations iirc & the differences with TS and TP.
ken
PCNSE
NSE
StrongSwan
I have posted a screenshot on my second response. I'm an advanced fortigate user and like you said, TS is not logical on inbound traffic, only outbound. My example is about FTP/HTTP. So the config is simple, 1 TS for outbound High, 1 for outbound Low, 1 for Inbound High and 1 for inbound Low. Two policies, 1 for HTTP and 1 for others with the shapers. I see that the inbound is using the right shapers but no priorities is applied. I'm searching the solution.
From what you posted, you are guaranteeing the slow policy almost the full upload pipe. If that's the case, then yes, you won't see much benefit. Your guaranteed needs to be substantially less than the full pipe to reserve space for all else and overhead. Look at it this way, when all else gets .7 of .9 Mbps, then HTTP only gets .2 Mbps when FTP is going full speed. .2 Mbps is dialup speed. Remember, every packet inbound has an accompanying packet outbound for confirmation (for FTP, UDP could be a different animal). Additionally, if FTP is an issue, I would further break it out into it's own policy, then have a catch all for the rest. It may be something else that's flooding your pipe: File sharing, YouTube, etc...
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
I have applied 12KB/412KB for inbound low and 400KB/412KB for inbound High, it's not the right method ? In a perfect world, FTP should down to 12KB/s while HTTP 400KB/s, no ?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.