We currently have Fortigate's rolled out at each of our sites and are looking to tighten up our traffic shaping policies as we are having instances whereby it currently burst the bandwidth, albeit infrequently.
Is the recommendation from Fortinet to use Shared > Per Policy shapers?
I feel that Shared > All policies using this shaper would be a better fit for our environment but I have been advised that this is not the recommended way from Fortinet and they are trying to move people to Per Policy since the later firmware was released.
The Shared > All policies options applies the shaping rules to all policies using the same shaper. For example, the shaper is set to be per policy with a maximum bandwidth of 1000 Kb/s. There are four security policies monitoring traffic through the FortiGate unit. All four have the shaper enabled. Each security policy must share the defined 1000 Kb/s, and is set on a first come, first served basis. For example, if policy 1 uses 800 Kb/s, the remaining three must share 200 Kb/s. As policy 1 uses less bandwidth, it is opened up to the other policies to use as required. Once used, any other policies will encounter latency until free bandwidth opens from a policy currently in use.
On the other hand, the Shared > Per Policy shaper enables all policies using the configured shaper to have 200Kb/s EACH. This shaper is probably more reliable as all policies will share the same bandwidth and not encounter any latency as a result.
However, it's not really recommended to do either anymore since the above options work with security policies whereas Fortinet now recommends that you use traffic shaping policies instead. Given that you use 5.6, have a look at the video below to see how to go about it:
My understanding is "per polcy" vs. "all policies" didn't change from 5.2 or before to 5.4 or after. They work as nick22d explained above and both are still needed depending on what kind of shapers you need. It's a config item in traffic shapers.
The way to apply the shapers has changed(added) since 5.4. Fortinet TAC recommened us to use shaping-policy instead of security/firewall polices when we were testing our QoS with 5.4.
I think I am getting confused with this as I believe we are using it the recommended way for v5.6 as we have Traffic Shapers and Traffic Shaping Policy's using the Traffic Shapers.
Can we still not then use either Per Policy or All Policies Using This Shaper as they would both use Traffic Shaping Policys?
I also see your reasoning for Per Policy however I am working on the assumption we would then have bandwidth potentially not being used.
Simplistically I was thinking of doing the following on a 20MB connection, keeping in mind our remote offices connect via RDP and we want to prioritize VOIP and RDP sessions above everything else. Most other traffic is none work related we are not overly concerned about.
Priority = High
Guaranteed Bandwidth = 3,072 Kbps
Priority = High
Guaranteed Bandwidth = 2,048 Kbps
Priority = Medium
Max Bandwidth = 15,360 Kbps
Traffic Shaping Policy's
Anything on voice VLAN use Voice shaper for shared and reverse
Anything using RDP Application use RDP shaper for shared and reverse
Anything other than the above use The_Rest shaper for shared and reverse
Or would you still recommend having the 15MB broken up with various max bandwidths?
We have been told we should also over provision it so allow currently the 3 shapers we have other than RDP and VOIP to have 20MB in total, working on the assumption it will only max out in scenarios when everything is being maxed out. This theory doesn't sit well with me.
I believe you can still use both, although we still need to re-test our QoS config developed for 5.4 with 5.6. I'm assuming the same at this moment.
You're thinking & config is about the same as mine. A couple of comments I'd like to make is
- We're still relying on DSCP marking&values since voip packets travel through the network not only the FGT sections. FGT seems to be using the values/priority mappings inside of the device (you must have seen in the handbook how to configure) although nobody from FTNT can explain how they're used so far. I'm still waiting for the answer from SE group.
- You need to think about management traffic as well. If the circuit is literally maxed out, your remote access might not work to troubleshoot.
I have a scenario where I want to limit each department with a certain bandwidth. Let's say we have 5 departments and our uplink is 100Mbps. I want to limit each department to have 20Mbps.
config firewall shaper traffic-shaper
set maximum-bandwidth 20500
set per-policy enable
config firewall shaping-policy
set comment "ACCOUNTING_DEPARTMENT"
set service "ALL"
set dstintf "wan"
set traffic-shaper "20Mbps"
set traffic-shaper-reverse "20Mbps"
set srcaddr "ACCT_172.16.10.0/24"
set dstaddr "all"
The problem is that when I configure a traffic shaper for a certain department to 20Mbps and the limit is reached, packets get dropped.
We have migrated from Cisco where we had traffic shaping policies and when the limit was reached we didn't notice any packet loss.
Example of 20Mbps polic-map:
police 20000000 2500000 5000000 conform-action transmit exceed-action drop
Is there a way to configure traffic shaping on a fortigate to do similar or would I need to define a Traffic shaping policy for each type of traffic and set a different priority, guaranteed bandwidth, etc.
What you probably want is to rate-limit the WAN ports (both ingress and egress) or at least start with that. If the various departments are on separate subnets and connected to the fgt via individual ports you could rate-limit those ports too. Unless anyone else wants to chime in, I'd rather rate-limit traffic than play around with various traffic shaping rules if all possible. That said, do take a read of The purpose of traffic shaping section if you still planning that approach.
With your Cisco policing config, it's supposed to drop exceeding packets because you configured "exceed-action drop". If you think it doesn't drop, some other factors are affecting for you to misread actual traffic in "show policy-map".
In you're case I would never configure 20.5Mbps max for 5 dept. to share one 100Mbps. I would configure like:
set maximum-bandwidth 30000
set guaranteed-bandwidth 20000
so that each dept can go up to 30Mbps. Even when 3 depts generate max traffic, which probably doesn't happen at the exact same time, there is some breathing room for the other dept. You will need to adjust the numbers based on actual usages after implementing the shapers.
But if you have different type of traffic on the same circuit from each dept like voice, video, file transfer, etc. you should segregate those based on the types, which is more important than limiting the max for each dept.
I know 20Mbps is not ideal but this is just an example.
There was traffic drop on our Cisco environment but it wasn't so severe and it didn't happen right away. I'm not 100% percent how it works but it looks like it works more like traffic shaping than policing where excess traffic goes to a buffer and gets transmitted with a bit of delay (you do notice higher response on icmp traffic).
On Fortigate you get packet loss as soon as you reach the maximum bandwidth limit.
Is there a way to get Fortigate to work in a similar way to the traffic policy on Cisco? Is there no other way but to do different traffic shaping policies for different traffic type (QoS)?
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.