Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Traffic shaping recommendation v5.6

Good morning


We currently have Fortigate's rolled out at each of our sites and are looking to tighten up our traffic shaping policies as we are having instances whereby it currently burst the bandwidth, albeit infrequently.


Is the recommendation from Fortinet to use Shared > Per Policy shapers?


I feel that Shared > All policies using this shaper would be a better fit for our environment but I have been advised that this is not the recommended way from Fortinet and they are trying to move people to Per Policy since the later firmware was released.


Any help/advice appreciated.






The Shared > All policies options applies the shaping rules to all policies using the same shaper. For example, the shaper is set to be per policy with a maximum bandwidth of 1000 Kb/s. There are four security policies monitoring traffic through the FortiGate unit. All four have the shaper enabled. Each security policy must share the defined 1000 Kb/s, and is set on a first come, first served basis. For example, if policy 1 uses 800 Kb/s, the remaining three must share 200 Kb/s. As policy 1 uses less bandwidth, it is opened up to the other policies to use as required. Once used, any other policies will encounter latency until free bandwidth opens from a policy currently in use.


On the other hand, the Shared > Per Policy shaper enables all policies using the configured shaper to have 200Kb/s EACH. This shaper is probably more reliable as all policies will share the same bandwidth and not encounter any latency as a result.


However, it's not really recommended to do either anymore since the above options work with security policies whereas Fortinet now recommends that you use traffic shaping policies instead. Given that you use 5.6, have a look at the video below to see how to go about it:


I hope that helps.

NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3

NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3

My understanding is "per polcy" vs. "all policies" didn't change from 5.2 or before to 5.4 or after. They work as nick22d explained above and both are still needed depending on what kind of shapers you need. It's a config item in traffic shapers.

The way to apply the shapers has changed(added) since 5.4. Fortinet TAC recommened us to use shaping-policy instead of security/firewall polices when we were testing our QoS with 5.4.


Thanks for the feedback.


I think I am getting confused with this as I believe we are using it the recommended way for v5.6 as we have Traffic Shapers and Traffic Shaping Policy's using the Traffic Shapers.


Can we still not then use either Per Policy or All Policies Using This Shaper as they would both use Traffic Shaping Policys?


I also see your reasoning for Per Policy however I am working on the assumption we would then have bandwidth potentially not being used.


Simplistically I was thinking of doing the following on a 20MB connection, keeping in mind our remote offices connect via RDP and we want to prioritize VOIP and RDP sessions above everything else.  Most other traffic is none work related we are not overly concerned about.


Traffic Shapers



Priority = High

Guaranteed Bandwidth = 3,072 Kbps



Priority = High

Guaranteed Bandwidth = 2,048 Kbps



Priority = Medium

Max Bandwidth = 15,360 Kbps


Traffic Shaping Policy's



Anything on voice VLAN use Voice shaper for shared and reverse



Anything using RDP Application use RDP shaper for shared and reverse



Anything other than the above use The_Rest shaper for shared and reverse


Or would you still recommend having the 15MB broken up with various max bandwidths?


We have been told we should also over provision it so allow currently the 3 shapers we have other than RDP and VOIP to have 20MB in total, working on the assumption it will only max out in scenarios when everything is being maxed out.  This theory doesn't sit well with me.


I believe you can still use both, although we still need to re-test our QoS config developed for 5.4 with 5.6. I'm assuming the same at this moment.


You're thinking & config is about the same as mine. A couple of comments I'd like to make is 

- We're still relying on DSCP marking&values since voip packets travel through the network not only the FGT sections. FGT seems to be using the values/priority mappings inside of the device (you must have seen in the handbook how to configure) although nobody from FTNT can explain how they're used so far. I'm still waiting for the answer from SE group.

- You need to think about management traffic as well. If the circuit is literally maxed out, your remote access might not work to troubleshoot.


I have a scenario where I want to limit each department with a certain bandwidth. Let's say we have 5 departments and our uplink is 100Mbps. I want to limit each department to have 20Mbps.


config firewall shaper traffic-shaper

edit "20Mbps"         set maximum-bandwidth 20500         set per-policy enable     next



config firewall shaping-policy

edit 2         set comment "ACCOUNTING_DEPARTMENT"         set service "ALL"         set dstintf "wan"         set traffic-shaper "20Mbps"         set traffic-shaper-reverse "20Mbps"         set srcaddr "ACCT_172.16.10.0/24"         set dstaddr "all"     next


The problem is that when I configure a traffic shaper for a certain department to 20Mbps and the limit is reached, packets get dropped.


We have migrated from Cisco where we had traffic shaping policies and when the limit was reached we didn't notice any packet loss.


Example of 20Mbps polic-map:

policy-map 20Mbps   class rateclass      police 20000000 2500000 5000000 conform-action transmit exceed-action drop


Is there a way to configure traffic shaping on a fortigate to do similar or would I need to define a Traffic shaping policy for each type of traffic and set a different priority, guaranteed bandwidth, etc.


What is the recommendation?

Honored Contributor

Hi Matjaz.


What you probably want is to rate-limit the WAN ports (both ingress and egress) or at least start with that.  If the various departments are on separate subnets and connected to the fgt via individual ports you could rate-limit those ports too.  Unless anyone else wants to chime in, I'd rather rate-limit traffic than play around with various traffic shaping rules if all possible.  That said, do take a read of The purpose of traffic shaping section if you still planning that approach. 




NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

With your Cisco policing config, it's supposed to drop exceeding packets because you configured "exceed-action drop".  If you think it doesn't drop, some other factors are affecting for you to misread actual traffic in "show policy-map".


In you're case I would never configure 20.5Mbps max for 5 dept. to share one 100Mbps. I would configure like:

set maximum-bandwidth 30000

set guaranteed-bandwidth 20000

so that each dept can go up to 30Mbps. Even when 3 depts generate max traffic, which probably doesn't happen at the exact same time, there is some breathing room for the other dept. You will need to adjust the numbers based on actual usages after implementing the shapers.


But if you have different type of traffic on the same circuit from each dept like voice, video, file transfer, etc. you should segregate those based on the types, which is more important than limiting the max for each dept.



I know 20Mbps is not ideal but this is just an example.


There was traffic drop on our Cisco environment but it wasn't so severe and it didn't happen right away. I'm not 100% percent how it works but it looks like it works more like traffic shaping than policing where excess traffic goes to a buffer and gets transmitted with a bit of delay (you do notice higher response on icmp traffic).


On Fortigate you get packet loss as soon as you reach the maximum bandwidth limit.


Is there a way to get Fortigate to work in a similar way to the traffic policy on Cisco? Is there no other way but to do different traffic shaping policies for different traffic type (QoS)?

New Contributor III

My 50 cent: 


... and if you start applying traffic shapers on some of your traffic, you definetely should consider to apply traffic-shaping to all of the (forwarded) traffic...


Best regards 


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors