Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
spoojary
Staff
Staff

Created on ‎09-28-2023 09:10 AM

Article Id 276533

Troubleshooting Tip: Cannot access network due to FortiGate traffic shaping anomaly

Description This article describes a solution to an issue where, after enabling traffic shaping on a FortiGate device running version 7.0.12, it becomes impossible to access the network. The resolution involves using a CLI command related to the npu system.
Scope FortiGate.
Solution

Problem: When enabling traffic shaping on a FortiGate device with system version 7.0.12, network access is lost.

 

Solution:

  1. Before proceeding, make sure to back up the configuration.
  2. Access the FortiGate CLI.
  3. Enter the following commands:

config system npu
   set default-qos-type policing 
end

 

  1. Reboot the device for the changes to take effect.

Note: When modifying the default QoS type to policing, it leverages the TPE module. This means a restart of the FortiGate device is mandatory.

 

The 'set default-qos-type policing' command, when used within the FortiGate device's CLI, pertains to the way Quality of Service (QoS) is handled in the context of traffic management.

 

Command breakdown:

  • default-qos-type: This refers to the default method or mechanism by which Quality of Service (QoS) is applied to network traffic on the device.

  • policing: This is a specific type of QoS management. When policing traffic, a strict limit is set on the rate of traffic. Any traffic that exceeds this limit can be either dropped or remarked (changing the QoS value) so it might get dropped later in the network.

Below is a more detailed explanation of policing:

Policing: Policing is a traffic management approach where traffic rates are monitored, and actions are taken on packets once they exceed the configured rate limits. The typical actions include:

  1. Dropping: Excess packets can be dropped immediately once they exceed the defined rate.
  2. Remark: Instead of dropping, excess packets can have their QoS values changed (for example, their Differentiated Services Code Point, or DSCP, values). This might result in them getting lower priority treatment elsewhere in the network.

Using policing effectively creates a 'hard ceiling' for traffic, ensuring that it does not exceed specified limits. However, one downside is that the immediate dropping of packets can lead to increased retransmissions and reduced application performance, depending on the nature of the traffic.

 

In the context of the FortiGate command provided (set default-qos-type policing), this would mean that the default behavior for handling QoS on the device would be to use the policing mechanism. It will be especially relevant when the device is set up for traffic shaping, as it dictates how exceeding traffic would be treated. 
377
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.