Hi,
I'm evaluating FortiGate firewalls for use in our network and for testing I got FG101F (with v6.4.3) to play around at home and get a feel for FortiOS etc. Most of the stuff i tried is working fine but i have a hard time configuring traffic shaping on WAN interface. My primary goal is to prevent congestion that for example egress UDP traffic can cause by limiting all egress traffic on WAN interface to a specific throughput and giving some applications priority over the others. My understanding was that i need to:
[ol]Unfortunately, that doesn't seem to work as there is no limiting of egress traffic. Actual upload bandwidth is 6mbps, i set the bandwidth to 4mbps.
Looking at the session that is generating the traffic (SCP to remote server):
fw-1 # diagnose sys session list session info: proto=6 proto_state=11 duration=1761 expire=3590 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=4 origin-shaper= reply-shaper= per_ip_shaper= class_id=3 shaping_policy_id=5 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255 state=log may_dirty npu f00 app_valid statistic(bytes/packets/allow_err): org=1180266409/914030/1 reply=21615569/421425/1 tuples=3 tx speed(Bps/kbps): 806177/6449 rx speed(Bps/kbps): 14746/117 orgin->sink: org pre->post, reply pre->post dev=47->7/7->47 gwy=Y.Y.Y.1/10.0.10.10 hook=post dir=org act=snat 10.0.10.10:56912->X.X.X.X:22(Y.Y.Y.Y:56912) hook=pre dir=reply act=dnat X.X.X.X:22->Y.Y.Y.Y:56912(10.0.10.10:56912) hook=post dir=reply act=noop X.X.X.X:22->10.0.10.10:56912(0.0.0.0:0) pos/(before,after) 0/(0,0), 0/(0,0) src_mac=a8:a1:59:08:03:c4 misc=0 policy_id=2 auth_info=0 chk_client_info=0 vd=0 serial=002c9ebd tos=ff/ff app_list=2000 app=16060 url_cat=0 sdwan_mbr_seq=0 sdwan_service_id=0 rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=n/a npu_state=0x003c08 npu info: flag=0x81/0x81, offload=8/8, ips_offload=0/0, epid=66/70, ipid=70/66, vlan=0x000a/0x0000 vlifid=70/66, vtag_in=0x000a/0x0000 in_npu=1/1, out_npu=1/1, fwd_en=0/0, qid=7/4 total session 1
Traffic seems to have the right class_id and was classified by correct shaping policy:
fw-1 # show firewall shaping-policy 5 config firewall shaping-policy edit 5 set name "network-services" set service "ALL" set app-category 15 set dstintf "wan1" set class-id 3 set srcaddr "all" set dstaddr "all" next end
I also don't have any traffic shaping policies that actually shape traffic (they just assign the class id) if that matters. This is my outbound shaping profile (note that class-id 3 has a maximum-bandwidth-percentage set to 20%):
fw-1 # show firewall shaping-profile config firewall shaping-profile edit "outbound-profile" set default-class-id 2 config shaping-entries edit 1 set class-id 2 set priority medium set guaranteed-bandwidth-percentage 10 set maximum-bandwidth-percentage 90 next edit 2 set class-id 3 set priority critical set guaranteed-bandwidth-percentage 10 set maximum-bandwidth-percentage 20 next edit 3 set class-id 4 set priority low set maximum-bandwidth-percentage 90 next edit 4 set class-id 5 set guaranteed-bandwidth-percentage 30 set maximum-bandwidth-percentage 90 next edit 5 set class-id 6 set priority top set guaranteed-bandwidth-percentage 20 set maximum-bandwidth-percentage 40 next end next end
And finally this is the configuration of the WAN1 interface:
fw-1 # show system interface wan1 config system interface edit "wan1" set vdom "root" set mode dhcp set allowaccess ping set type physical set inbandwidth 60000 set outbandwidth 4000 set egress-shaping-profile "outbound-profile" set monitor-bandwidth enable set role wan set snmp-index 3 set macaddr 00:1d:70:1a:0c:b0 next end
It seems that the traffic is classified correctly but is not shaped on the WAN interface (like there's not enough traffic to activate the shaper).
fw-1 # diagnose netlink interface list wan1 if=wan1 family=00 type=1 index=7 mtu=1500 link=0 master=0 ref=212 state=start present fw_flags=0 flags=up broadcast run multicast Qdisc=mq hw_addr=00:1d:70:1a:0c:b0 broadcast_addr=ff:ff:ff:ff:ff:ff inbandwidth=60000(kbps) total_bytes=0 drop_bytes=0 egress traffic control: bandwidth=4000(kbps) lock_hit=0 default_class=2 n_active_class=5 class-id=4 allocated-bandwidth=0(kbps) guaranteed-bandwidth=0(kbps) max-bandwidth=3600(kbps) current-bandwidth=0(kbps) priority=low forwarded_bytes=0 dropped_packets=0 dropped_bytes=0 class-id=2 allocated-bandwidth=400(kbps) guaranteed-bandwidth=400(kbps) max-bandwidth=3600(kbps) current-bandwidth=32(kbps) priority=medium forwarded_bytes=6254K dropped_packets=0 dropped_bytes=0 class-id=5 allocated-bandwidth=1200(kbps) guaranteed-bandwidth=1200(kbps) max-bandwidth=3600(kbps) current-bandwidth=4(kbps) priority=high forwarded_bytes=271K dropped_packets=0 dropped_bytes=0 class-id=3 allocated-bandwidth=800(kbps) guaranteed-bandwidth=400(kbps) max-bandwidth=800(kbps) current-bandwidth=0(kbps) priority=critical forwarded_bytes=50K dropped_packets=0 dropped_bytes=0 class-id=6 allocated-bandwidth=1600(kbps) guaranteed-bandwidth=800(kbps) max-bandwidth=1600(kbps) current-bandwidth=0(kbps) priority=top forwarded_bytes=0 dropped_packets=0 dropped_bytes=0 stat: rxp=166142958 txp=99311737 rxb=197027690325 txb=17448900949 rxe=0 txe=0 rxd=0 txd=0 mc=0 collision=0 re: rxl=0 rxo=0 rxc=0 rxf=0 rxfi=0 rxm=0 te: txa=0 txc=0 txfi=0 txh=0 txw=0 misc rxc=0 txc=0 input_type=0 state=3 arp_entry=0 refcnt=212
This output shows 0 kbps for class-id 3 even though there's 6mbps. I would expect that setting the outbound bandwidth to 4mbps would limit egress traffic regardless of classification.
I hope i showed enough relevant config snippents, and I'll provide additional info if you need it. As this is my first week with Fortigate there could be that I'm missing something obvious so I would appriciate your help.
Thanks,
Pavle
