Hello All, I'm working with a customer to give the best user experience on applications and traffic.
The firewall is a 600C and there is a lot of local routed traffic. Critical point of course are on traffic to Internet and from Internet.
I'm planning this:
I want to set the default tos for all traffic to low. By default it's at medium:
FGT (global) # get | grep tos tos-based-priority : medium
I want to create 7 new profiles that go from scavenger, to real - time traffic. I want to align them with my application bw requirements and so shape based on my needs.
I've a 100 Mbit internet connection and so I will consider the 100Mbit the 100% of pipe capacity for internet.
But.. what about the traffic that go from lan to dmz? or the opposite, or all the local routed traffic that pass via gigabit interfaces?
I would like to be sure that critical traffic there (local routed traffic) is in the correct queue but I don't want to shape it since I'm fine if it reaches the gigabit speed of transmission.
What is the best practice here to queue the critical traffic in the best way? Do you suggest to use other 7 qos profiles for local routed traffic?
Any other suggestion?
Thanks a lot
anybody for this?
Thanks
oliverlag wrote:anybody for this?
Perhaps take a look at the Traffic Shaping handbook. (Link is for 5.2.2.) Personally, I only played around with traffic shaping on steaming media (; all of our clients are based in remote areas with mostly sat. link ups). I think most traffic shaping guides are geared towards implementing shaping on the edge router to the Internet. Our internal network is sectioned into vlans and isolated switch segments -- not so much "traffic shaping" is actually being performed. Though there is rate limiting placed on some of the switch/router ports depending on what is connected to them.
One thing I should point out about implementing "full" traffic shaping on the Fortigate is it's mostly done via the CLI, as well, any diagnostics/troubleshooting needed. So just looking at the traffic graphs on the GUI wont tell you the full picture unless you already know there is some sort of traffic shaping/QOS going on.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Thanks for your reply.
I've already gave a look to the TS guide.
My doubts are about a "full shaping" on whole rules vs selective shaping on some rules only.
It's pretty difficult to make a full shaping on a 600 acl firewall.
Thanks anyway
Hey,
nobody on this?
Just looking for some advices
Thanks
Fortinet should rename their traffic shaping tab to traffic policing. Getting this granular in QoS really requires a router. As noted in the QoS guide you read, Fortinet evaluates throughput in 1-second bin sizes and polices exceeding. To the best of my knowledge and experience, there is no WFQ, CBWFQ, RED, WRED, or deep queuing. If you try to implement multiple low-bandwidth (this is a 600C) shapers, it will kill micro-bursts (TCP). I think you'll find this type of approach will make things worse. Making some assumptions on the client's requirements, generally the best idea is to do basic 'shaping' / de-prioritization for regular BYOD / guest / entertainment traffic. If you have SIP, RTP, or other voice / streaming video, it should be assigned to a higher priority queue.
If you have actually requirements for SoS and minimum bandwidth, invest in an appliance made specifically for traffic control or do it yourself on a real router.
I do wish Fortinet would public more information on queuing capabilities, even if only to partners. The traffic management guide isn't technical enough
I agree 100 % on your assesment and review of the lacking in the fortigate firewall in regard to this area, but keep this in mind " this is a firewall 1st and the #1 job of the firewall is todo other thing & with TS/TP as a lower requirement "
If an org is serious about traffic classification/marking and TS/TP they would use other devices such as; routers , switch l2 or L2+3, etc.... These devices perform better support CB-WFQ, WFQ, RED, WRED, SRED, PQ, etc.....
To complain about the firewall not doing this better or as good as XYZ, is like complaining when using a spoon for eating a steak. It can put food in your mouth, but the fork or even a spork would be so much better, but the latter two still sucks when eating a soup
Now, I believe the carrier-class offering from fortinet has better TS/TP functions.I also can't think of any other firewall that has successfully climbed this slope and realm of top quality TS/TP and who could out do a true router or layer3 switch.
PCNSE
NSE
StrongSwan
thanks guys for your replies.
What I want to do with this customer is giving a colour to each type of traffic, from scavenger to real-time traffic.
I'm partially doing with success but I've to go through more than 600 acl.
All 600 ACL involves traffic from fast interfaces (100/1000) to Internet and viceversa. I would not colour the traffic between fast interfaces (lan to dmz, etc)
Once done I'm not sure what to do with "tos-based-priority". If I leave it at medium each not colour flow will always be at medium.
If I change it to low, the intra (fast)interface traffic will be queued in the slowest queue.
F-xxxxx (global) # get | grep tos tos-based-priority : medium
I agree I would better work with a router instead my L3 here is partially a cisco switch and partially the Fortigate. In front of the fortigate I don't have routers under my management.
At the same time I got very good result prioritizing real-time traffic on FGT, and so customers want all qos done on it.
What would you do if you would have to do the same job?
Thanks a lot
I would personally buy a packeteer ( BCSt ) and use this. It has better applications/protocol awareness and is designed todo exactly want you have would be 10000x better for wan bandwdith management than any FTNT product.
If you really need todo this on 600+ ACL, in the long run you would be better off going this route. You would also have the flexibility to apply dynamic bw controls based on TOD and other parameter and overflow traffic into queues when congestion is not applicable for app/proto xyz. So you TS will apply as congest is ramp on or off.
If you have the time and creativity you can also look at the OTS ( Opensource Traffic shaper ), not sure how well it's maintain but it does an okay job but it's not a BCS ;)
Once again, a fortigate is a great firewall but it's not an ALL IT CAN do box. Some things are truly better handle by 3rd ware appliance or software.
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.