Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sbaikadi
Staff
Staff

Created on ‎11-07-2023 10:27 AM Edited on ‎11-07-2023 10:52 AM By Moderator

Article Id 283099

Technical Tip: Traffic Shaping on a FortiGate Chassis

Description This article describes how Traffic shaping is applied on a FortiGate chassis and how to check if shaping is applied as desired.
Scope FortiGate 6000 and 7000 Series
Solution
  1. For traffic shapers in the SLBC platform (6000 and 7000 Series), the shaper is applied per blade/slot, not per chassis.
  2. In the 6000/7000 series, traffic is load-balanced to all of the blades in the chassis. Blades can be considered as an individual FortiGate (like 3800D). These individual FortiGates apply traffic shaping quotas independently. When traffic is received by the Blade (FortiGate), traffic shaping is applied to the traffic that is processed by that blade in the same way that this occurs on a regular FortiGate. This may sometimes allow more traffic than expected as the traffic is load-balanced to different blades based on the hashing algorithm on 6K/7K.
  3. The configuration for traffic shaping defined in the shaper is synced with each FPC/FPM in the chassis.
  4. Each FPC/FPM will shape the traffic as per the bandwidth configured on the blade.
    For Example: The traffic received on the MBD/FIM on the chassis will be load-balanced to the slots/blades in the chassis. If 60Mbps of bandwidth is configured to be shaped for the traffic on the MBD/FIM, each slot/blade in the chassis will shape 60Mbps of traffic that is hitting that particular blade.
    (Note: If the chassis has 6 Slots, the total bandwidth shaped by the chassis in this case will be 6 x 60 Mbps = 360 Mbps.)
  5. The allocated BW for each FPC can be seen from the CLI using the following command:

 

diagnose firewall shaper traffic-shaper list

image-1.JPG

 

image-2.JPG

 

Troubleshooting commands:

 

  1. To check if traffic is being shaped, look for 'originshaper=' in the output of 'diag sys session list':

 

image-3.JPG

 
  1. To check the packets being dropped or the allocated bandwidth on each FPC/FIM:

 

diagnose firewall shaper traffic-shaper stats

diagnose firewall shaper traffic-shaper list name xxxx

diagnose firewall shaper traffic-shaper stats clear (To clear the statistics.)

 

image-4.JPG

 

image-5.JPG

 

  1. Debug flow messages show drops due to the shaper with the message 'exceeded shaper limit, drop'.

 

image-6.JPG

 

  1. Add a FortiView Dashboard widget to monitor the traffic-shaping. See 'To add a FortiView widget in the dashboard' on this page of the FortiGate cookbook.

image-7.JPG

 

image-8.JPG
247
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.