Hello,
What's the best way to prioritize all traffic on 5060? Softphone traffic goes over that so it's critical that regular internet traffic (softphones are run on the computers that are on the data vlan) doesn't impede upon it. Ideally the way it would be set up would be that nomatter what people are doing on the data vlan, maxing the circuit or whatever, 5060 traffic is not impeded in any way. Any help would be appreciated.
Thanks,
Brendon
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Really depends on your usage profile. If you have heavy internet users you can use a combination of lowering priority and capping max speed the on the bulk web traffic along with high priority and guaranteed bandwidth for SIP (and don't forget RTP ports).
Ideally you should have a separate link dedicated to voice.
emilec wrote:Really depends on your usage profile. If you have heavy internet users you can use a combination of lowering priority and capping max speed the on the bulk web traffic along with high priority and guaranteed bandwidth for SIP (and don't forget RTP ports).
Ideally you should have a separate link dedicated to voice.
I don't have a separate link for desk phones, but I do have the data vlan capped to 90% of total bandwidth (I didn't use a percent, I just can't remember what the actual number is) to leave overhead for voip, so the voip vlan is fine. Desk phones use the voip vlan. I suppose I could cap the bulk web traffic a little lower than 90% to give overhead for the softphones (that use the data vlan) as well. Thanks for the help. Also I know voip doesn't use a lot of data but I'm starting by giving voip more room to work with and if I see it only ever uses half of that, I'll lower it some. I'd rather give it too much than too little.
What's the easiest way to get this set up? I guess I'd make a new firewall policy for sip and rtp but then I'm not sure what to do from there. I've already got a policy on the data vlan that says to limit the bandwidth overall, but then is there a way to limit general web traffic from within that limit? Maybe I need coffee for thinking this through :p
Thanks,
Me
I think I could do it this way -
Have a firewall policy for all voip ports on the data vlan - rtsp, sip, etc - that is unrestricted and has higher priority.
Then have a firewall policy for all other ports on the data vlan that is restricted to 90% of whatever the max bandwidth is and is lower priority.
That way there is still overhead for the deskphones on the voip vlan, and then now the voip on the data vlan can use that overhead as well.
^ That's pretty much how I would do it. Make the VoIP rule as specific as possible so the rest of the traffic will drop through to the bulk rule and get limited.
Hello,
Don't I have to make the other policies specific as well? Like normally I would put the service as 'all.' However, if I specify a separate voip policy for certain ports, won't I have to specify the data policy as all the other ports not including voip? Well I have a fortigate at my desk and a softphone so I'll test it out and give the results.
Thanks,
Me
Rules are processed top down. So specific rules at the top, less specific or catchall rules below.
emilec wrote:Rules are processed top down. So specific rules at the top, less specific or catchall rules below.
Oh ok thanks. Also, I have a wireless vlan as well. Can I just add that to the catch-all rule? I want that plus the data vlan to be limited to 90M. I think they both have to be a part of the same firewall policy though, and that policy has to be limited to 90M. So I would have two sources - data vlan and wireless vlan - and one destination - wan1. And then I'd have a traffic shaper that would say to limit to 90M. Then the combination of data and wireless would never go above 90M?
Thanks,
Me
I prefer not having multiple interfaces in a policy because it makes the interface look messy, but that's just me.
IIRC you can create a shared traffic shaper that you can use in multiple policies, so maybe give that a go.
Oh that's right, I think traffic shapers are shared by default, so if you create one shaper and apply to different policies, it works for all of them. Thanks!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1660 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.