Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiSASE Sovereign
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- RE: Traffic Shapping
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Traffic Shapping
I have setup traffic shaping on a Fortigate 60C and it seems to be mostly working, but latency on the Internet link still increases when downloads are running, is this normal?
I have a 10Mb fiber connection, one internal port of the Fortigate is traffic shaped to 2.4Mb, and the other is shaped to 5Mb.
I also have the 2.5Mb network set to priority low and the 5Mb set to high in the traffic shaping rule.
If I download a large file on the 2.5Mb network from the internet I can see it is correctly restricted to a speed of 2.5Mb on the download, but ping responses on the 5Mb network go up from 1 -2ms to 150-250ms while the download is running, and general web access seems less responsive.
Is this normal of all traffic shaped internet connections, I thought the whole point of traffic shaping was to be able to segment off your Internet connection into different pipes that don' t affect each other?
Any help would be appreciated.
12 REPLIES 12
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No matter how you slice it, when your pipe nears capacity, you will notice a slow down in response.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But I would have thought if I had a 10Mb pipe then when the 2.5Mb Lan downloads a file using that whole 2.5Mb, it would still leave the rest of the 7.5Mb running nice and fast without much latency increase as the pipe is not at capacity.
I have confirmed using the Fortigate dashboard stats that the 2.5Mb download is only running at 2.5Mb and nothing much else is going on, so there is still lots of bandwidth left.
Thanks for your reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem is that traffic shaping is only effective on one side of the pipe. The FGT can put traffic into (3) different priority queues and service them differently. For the lowest queue, it will have to drop packets to keep the bandwidth below the specified threshold. But dropped packets are forwarded from the ISP in any case (I' m talking about download traffic here) so the pipe itself will not benefit much from this.
Secondly, all BW management is done through priorities; ping as a service will have a very low priority itself, compared to ftp, http and so on. So higher RTT values with ping should not be taken as a measure of available BW. But they are indicative.
I' d set up this to clarify the situation: download a huge file (some GBs) via the 2.5 Mbps line. See it saturating the allocated BW. Now, make a second download of a huge file using the second WAN line. Here, you should be able to utitlize 7.5 Mbps BW.
If you can confirm this, you have achieved all you can with a one-sided traffic prioritization. Note that limiting BW on one link will not necessarily guarantee low latency on another one, only BW.
I think I remember there' s a KB article on traffic shaping, you might search for it for more details.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok I see your point about download traffic, so if the pipe from the ISP to the Fortinet is 10Mb, the traffic shaping will be receiving the full 10Mb from the ISP on the outside interface, and then dropping any packets over the 2.5Mb, so in effect still flooding the 10Mb pipe from the ISP to the fortinet.
I thought TCP traffic was smarter than that, and when an end point in the communication can only run at a certain speed it told the other end to only send traffic at that speed.
I wonder how this affects things like voice, we also have voice traffic shaping and prioritisation setup, so voice has 1Mb at High, the 7.5Mb is at Medium, and the 2.5Mb is at low.
So are we saying inbound (download) traffic shaping is not really that effective unless it is done at the ISP using traffic shapping or VLAN' s with different bandwidth profiles.
I will do some more testing with the two downloads and report back.
Thanks for your assistance.
Shane
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wow, have read this thread now and I' m very surprised!
We have latency problems, so we applied on each important policy a Traffic Shaping rule. This morning we had an extremly high peak again which consumes the whole bandwith 15Mbps from our ISP to the FG, although the policy has a Traffic Shaping limit from 2Mbps.
So if this is true what you guys wrote here, how can we limit the download bandwith for a policy so a download would not use the the full 15Mbps from the ISP?
Wayne
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just if someone else has this problems, after we set on each outbound policy with active traffic shaping the " Shared Traffic Shaper Reverse Direction" it' s working like a charm 
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Alternatively, you could use a ' per-IP' traffic shaper which controls both directions. If you have a number of users, why limit everyone if only a few overuse the line?
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Because we have latency problems and an initiated download was consuming the whole throughput from the pipe of our ISP. So if just one of my users is initiating a download to a fast web server, it would use 15Mbps and all other have latency problems, especially our external Outlook users. That' s why in our case a traffic shaping for all users on the http, https and ftp policy is the best solution in my opinion.
But thx for your suggestion.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A couple things come to mind here for me:
1) Did you tell the FGT what the pipe sizes are?
config system interface
edit " port2"
set vdom " root"
set ip blah-blah-blah
set allowaccess ping https
set type physical
set tcp-mss 1470
set inbandwidth 12800 <-Inbound pipe size (in Kilo BYTES! in V4.2)
set outbandwidth 12800 <-Outbound pipe size (in Kilo BYTES! in V4.2)
set description " Outside (Internet) interface"
set alias " Internet"
set speed 100full
next
end
2) Did you set the default traffic priority to something less than high?
config system global
set tos-based-priority medium
end
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Labels
-
FortiGate
10,769 -
FortiClient
2,198 -
FortiManager
902 -
5.2
687 -
FortiAnalyzer
687 -
5.4
638 -
FortiSwitch
595 -
FortiClient EMS
578 -
FortiAP
568 -
IPsec
442 -
6.0
416 -
SSL-VPN
390 -
FortiMail
380 -
5.6
362 -
FortiNAC
297 -
FortiWeb
256 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
205 -
FortiAuthenticator
184 -
FortiGuard
160 -
5.0
152 -
Firewall policy
147 -
FortiGate-VM
139 -
6.4
128 -
FortiCloud Products
118 -
FortiToken
114 -
FortiSIEM
113 -
FortiGateCloud
112 -
Wireless Controller
96 -
High Availability
91 -
Customer Service
88 -
FortiProxy
79 -
SAML
77 -
ZTNA
77 -
Routing
76 -
Fortivoice
73 -
DNS
73 -
VLAN
73 -
BGP
72 -
FortiEDR
71 -
Authentication
71 -
FortiADC
69 -
Certificate
69 -
RADIUS
64 -
LDAP
63 -
FortiLink
59 -
SSO
57 -
FortiSandbox
55 -
NAT
55 -
FortiExtender
52 -
VDOM
50 -
4.0MR3
49 -
Interface
49 -
Application control
48 -
Virtual IP
44 -
FortiDNS
43 -
Logging
41 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
SSL SSH inspection
38 -
FortiPAM
37 -
Web profile
36 -
FortiConnect
35 -
Automation
35 -
FortiWAN
31 -
FortiConverter
31 -
API
29 -
FortiGate v5.2
28 -
Traffic shaping
26 -
Static route
26 -
Fortigate Cloud
25 -
SNMP
25 -
SSID
25 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
System settings
22 -
WAN optimization
22 -
FortiMonitor
20 -
OSPF
20 -
Security profile
19 -
Web application firewall profile
19 -
Web rating
19 -
IP address management - IPAM
19 -
FortiSoar
18 -
FortiAP profile
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
Explicit proxy
16 -
Admin
15 -
IPS signature
15 -
Proxy policy
15 -
Intrusion prevention
15 -
FortiManager v4.0
14 -
FortiCASB
14 -
NAC policy
14 -
DNS filter
13 -
Users
13 -
FortiManager v5.0
12 -
FortiDeceptor
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiBridge
11 -
FortiRecorder
11 -
Authentication rule and scheme
11 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
Trunk
10 -
Traffic shaping profile
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
Application signature
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiNDR
6 -
FortiCarrier
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
TACACS
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiEdge Cloud
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiAI
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiInsight
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
Lacework
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2678 | |
| 1412 | |
| 810 | |
| 703 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.