I have setup traffic shaping on a Fortigate 60C and it seems to be mostly working, but latency on the Internet link still increases when downloads are running, is this normal?
I have a 10Mb fiber connection, one internal port of the Fortigate is traffic shaped to 2.4Mb, and the other is shaped to 5Mb.
I also have the 2.5Mb network set to priority low and the 5Mb set to high in the traffic shaping rule.
If I download a large file on the 2.5Mb network from the internet I can see it is correctly restricted to a speed of 2.5Mb on the download, but ping responses on the 5Mb network go up from 1 -2ms to 150-250ms while the download is running, and general web access seems less responsive.
Is this normal of all traffic shaped internet connections, I thought the whole point of traffic shaping was to be able to segment off your Internet connection into different pipes that don' t affect each other?
Any help would be appreciated.
But I would have thought if I had a 10Mb pipe then when the 2.5Mb Lan downloads a file using that whole 2.5Mb, it would still leave the rest of the 7.5Mb running nice and fast without much latency increase as the pipe is not at capacity.
I have confirmed using the Fortigate dashboard stats that the 2.5Mb download is only running at 2.5Mb and nothing much else is going on, so there is still lots of bandwidth left.
Thanks for your reply
The problem is that traffic shaping is only effective on one side of the pipe. The FGT can put traffic into (3) different priority queues and service them differently. For the lowest queue, it will have to drop packets to keep the bandwidth below the specified threshold. But dropped packets are forwarded from the ISP in any case (I' m talking about download traffic here) so the pipe itself will not benefit much from this.
Secondly, all BW management is done through priorities; ping as a service will have a very low priority itself, compared to ftp, http and so on. So higher RTT values with ping should not be taken as a measure of available BW. But they are indicative.
I' d set up this to clarify the situation: download a huge file (some GBs) via the 2.5 Mbps line. See it saturating the allocated BW. Now, make a second download of a huge file using the second WAN line. Here, you should be able to utitlize 7.5 Mbps BW.
If you can confirm this, you have achieved all you can with a one-sided traffic prioritization. Note that limiting BW on one link will not necessarily guarantee low latency on another one, only BW.
I think I remember there' s a KB article on traffic shaping, you might search for it for more details.
Ok I see your point about download traffic, so if the pipe from the ISP to the Fortinet is 10Mb, the traffic shaping will be receiving the full 10Mb from the ISP on the outside interface, and then dropping any packets over the 2.5Mb, so in effect still flooding the 10Mb pipe from the ISP to the fortinet.
I thought TCP traffic was smarter than that, and when an end point in the communication can only run at a certain speed it told the other end to only send traffic at that speed.
I wonder how this affects things like voice, we also have voice traffic shaping and prioritisation setup, so voice has 1Mb at High, the 7.5Mb is at Medium, and the 2.5Mb is at low.
So are we saying inbound (download) traffic shaping is not really that effective unless it is done at the ISP using traffic shapping or VLAN' s with different bandwidth profiles.
I will do some more testing with the two downloads and report back.
Thanks for your assistance.
Wow, have read this thread now and I' m very surprised!
We have latency problems, so we applied on each important policy a Traffic Shaping rule. This morning we had an extremly high peak again which consumes the whole bandwith 15Mbps from our ISP to the FG, although the policy has a Traffic Shaping limit from 2Mbps.
So if this is true what you guys wrote here, how can we limit the download bandwith for a policy so a download would not use the the full 15Mbps from the ISP?
Because we have latency problems and an initiated download was consuming the whole throughput from the pipe of our ISP. So if just one of my users is initiating a download to a fast web server, it would use 15Mbps and all other have latency problems, especially our external Outlook users. That' s why in our case a traffic shaping for all users on the http, https and ftp policy is the best solution in my opinion.
But thx for your suggestion.
A couple things come to mind here for me:
1) Did you tell the FGT what the pipe sizes are?
config system interface
edit " port2"
set vdom " root"
set ip blah-blah-blah
set allowaccess ping https
set type physical
set tcp-mss 1470
set inbandwidth 12800 <-Inbound pipe size (in Kilo BYTES! in V4.2)
set outbandwidth 12800 <-Outbound pipe size (in Kilo BYTES! in V4.2)
set description " Outside (Internet) interface"
set alias " Internet"
set speed 100full
2) Did you set the default traffic priority to something less than high?
config system global
set tos-based-priority medium
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.