Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Daryaya
New Contributor

packet shaper and shaping policies issues

Hi,

We have multiple traffic shapers and shaping policies configured, each with the same value set for both the guaranteed and maximum bandwidth. These policies are applied based on source networks and are linked to shaping policies (not directly to security policies).

The issue we’re encountering is that during testing, we are not seeing traffic reach the guaranteed bandwidth levels — even when the network is idle. We’re not getting close to the configured guaranteed/max bandwidth, and end-users are reporting slow performance.

Currently, we do not have any bandwidth defined on the outbound interfaces, and from what I understand, this might be a contributing factor. My question is:

  • Without defining outbound bandwidth on the interface, how does the firewall know when to enforce traffic shaping policies (e.g., to throttle down to guarantee bandwidth when the interface is congested, or to allow bursting when there’s capacity)?
  • Is shaping applied based only on each individual shaping policy, or does the interface-level bandwidth definition play a critical role in determining when to enforce these limits?

Additionally:

  • If we do need to configure outbound bandwidth, should it be applied to the physical interface or the VLAN subinterface?
    • For example, in a setup like: internal (x2.100) → internet (x1.100), do we configure shaping bandwidth on x1.100 or the parent physical interface x1?
  • What happens to traffic that doesn’t match any shaping policy — does it go unshaped?(i.e when there is congestion on interface, how they gets treated) 
  • We are using multiple VDOMs. If we configure bandwidth on the physical interface x1, will that affect other subinterfaces like x1.300 used in another VDOM, which has no shapers applied?

Any guidance would be appreciated.

4 REPLIES 4
Anthony_E
Community Manager
Community Manager

Hello,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
Daryaya

Anyone could help with this please?

Anthony_E
Community Manager
Community Manager

Hello,

 

We are still looking for someone to help you.

We will come back to you ASAP.


Thanks,

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Hello,

 

I found this answer by questioning our AI:

 

To address issues related to packet shaper and shaping policies on FortiGate, follow these steps:

  1. Verify Configuration:

    • Ensure that the traffic shaping policies and shapers are correctly configured. Check the maximum and guaranteed bandwidth settings.
    • Use the command diagnose firewall shaper traffic-shaper list to view shared policy traffic details, including bandwidth and dropped packets.
  2. Check for Known Issues:

    • Be aware of known issues with specific FortiGate models, such as NP7lite devices (e.g., FortiGate-90G/91G), where traffic may be disrupted even if bandwidth limits are not reached. This issue is resolved in firmware versions v7.2.11, v7.4.8, and v7.6.3.
  3. Debugging:

    • Use diagnose npu np7lite dce-eng-drop all to check for increased DCE_QTM_ENQ_DROP counts, which indicate packet drops due to shaping policies.
    • For session quota issues, increase the maximum concurrent sessions in the traffic shaper configuration.
  4. DSCP Marking:

    • Ensure DSCP settings are correctly configured in shaping policies. If DSCP marking is not applied as expected, verify that diffserv-forward and diffserv-reverse are enabled in the shaping policy configuration.
  5. Workarounds:

    • If experiencing issues with shaping policies on NP7lite devices, consider disabling the shaping policy temporarily using set status disable in the shaping policy configuration.

By following these steps, you can troubleshoot and resolve common issues related to packet shapers and shaping policies on FortiGate.

Anthony-Fortinet Community Team.
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors