Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Eric_Brown
New Contributor

traffic shaping issue

Today, I noticed that our internet connection seemed very slow (the most reliable bandwidth monitor I have is Pandora: when I get 20-30 seconds of silence, I know something' s not quite right!). I checked our PRTG graph and found that we were at our upstream capacity (5 Mbps) for about 15 minutes. Speedtest.net confirmed that downstream speeds were under 1 Mbps. I' m confused by this, because I have a traffic shaping policy that guarantees 500 Kbps up and 1000 Kbps down, with the maximum set to 5000 Kbps each way. We have a small shop, so I' m fairly confident we didn' t have 10 people uploading simultaneously. Spillover threshold for that WAN is 4000 Kbps, so I' m surprised that nothing kicked over to the other WAN. Can anyone give me any insight into why this happened? Thanks! Eric FortiGate 60C v4.0,build0441,110318 (MR3) config firewall policy edit 1 set srcintf " internal" set dstintf " wan1" set srcaddr " Internal-Subnet" set dstaddr " all" set action accept set utm-status enable set logtraffic-app disable set schedule " always" set service " ANY" set av-profile " default" set application-list " default" set profile-protocol-options " default" set traffic-shaper " Outbound IST" set traffic-shaper-reverse " Inbound IST" set nat enable next edit 2 set srcintf " internal" set dstintf " wan2" set srcaddr " Internal-Subnet" set dstaddr " all" set action accept set utm-status enable set logtraffic-app disable set schedule " always" set service " ANY" set av-profile " default" set application-list " default" set profile-protocol-options " default" set traffic-shaper " Outbound BGN" set traffic-shaper-reverse " Inbound BGN" set nat enable next edit 3 set srcintf " wan2" set dstintf " internal" set srcaddr " all" set dstaddr " PPTP-Biserver01" " FTP-Bigserver01" " HTTP-Bigserver01" " HTTPS-Bigsever01" " RWW-BIGSERVER01" set action accept set logtraffic-app disable set schedule " always" set service " PPTP" " FTP" " HTTP" " HTTPS" " TCP-5125 RWW" set traffic-shaper " Inbound BGN" next edit 4 set srcintf " ssl.root" set dstintf " internal" set srcaddr " SSL-VPN" set dstaddr " Internal-Subnet" set action accept set logtraffic-app disable set schedule " always" set service " ANY" next edit 5 set srcintf " internal" set dstintf " ssl.root" set srcaddr " Internal-Subnet" set dstaddr " all" set action accept set logtraffic-app disable set schedule " always" set service " ANY" next edit 6 set srcintf " wan2" set dstintf " internal" set srcaddr " all" set dstaddr " Internal-Subnet" set action ssl-vpn set logtraffic-app disable config identity-based-policy edit 1 set schedule " always" set logtraffic-app disable set groups " SSL-VPN-Users" set service " ANY" next end next end
7 REPLIES 7
ejhardin
Contributor

For best results set the wan interface bandwidth: config system interface edit " WAN1" set inbandwidth <rate> set outbandwidth <rate> next end Next set your default traffic shaping rule: config system global set tos-based-priority <high | medium | low> next end Is wan1 and wan2 both 5MB up and 5MB down? Please post your traffic shaping policies. Also when applying the traffic shaping rule to the firewall policy the first is upload and the second is download.
Eric_Brown
New Contributor

Thanks for this information. I recall now that you had advised me several weeks ago to set inbandwidth / outbandwidth, but forgot to do it. Can you help me understand why, if our ISP caps our rate at 5 Mbps, it is helpful to limit the rate at the interface? According to the documentation for MR3, these variables take integers in kilobytes (not kilobits) per second. However, in the GUI, everything is in kilobits per second. Before I make any changes, I just want to confirm that setting via the CLI is indeed KBps. (Also, any insight into why this option is only configurable via CLI?) To answer your question, WAN1 is 20 down / 2 up. WAN2 is 5/5. I' m still trying to understand how to effectively balance these two connections, but most of the time it works out on its own, so I don' t fiddle with it too much. Here are the traffic shaping policies you requested:
     edit " Outbound WAN1" 
         set guaranteed-bandwidth 500
         set maximum-bandwidth 2000
     next
     edit " Inbound WAN1" 
         set guaranteed-bandwidth 2000
         set maximum-bandwidth 20000
     next
     edit " Outbound WAN2" 
         set guaranteed-bandwidth 500
         set maximum-bandwidth 5000
     next
     edit " Inbound WAN2" 
         set guaranteed-bandwidth 1000
         set maximum-bandwidth 5000
     next
     edit " Low Priority Entertainment" 
         set guaranteed-bandwidth 500
         set maximum-bandwidth 1500
         set priority low
     next
 
The last one (" Low Priority Entertainment" ) is applied to the default application control sensor for items like Netflix, Pandora, and Hulu. The default application sensor is applied to each WAN policy. The Inbound / Outbound policies are tied to the appropriate WAN port. Thanks for your advice on this.
ede_pfau
Esteemed Contributor III

The ' inbandwidth' and ' outbandwidth' parameters don' t limit any bandwidth directly. They are important to properly calculate the current bandwidth used as a rate which then is used to drop packets if it gets too high. Quite often the port speed on the WAN side is not equal to the available max. BW so this information needs to be supplied explicitely. BW is specified in kiloBytes per second up to FortiOS v4.00 MR2 and in kiloBits per second from 4.3 on. This is documented. As you are using 4.3 you need to divide your BW values (given in Mbit/sec) by 8. No wonder that you didn' t see any effect with these shapers. If you want to get more assured with these settings you can put a traffic shaper on any free port and hook up a notebook or any other data sink, and experiment. It' s always advisable to set the default traffic priority to ' medium' as ejhardin posted. The factory default is ' high' which doesn' t leave much choice to raise the priority for traffic falling below it' s minimum guaranteed BW.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
ejhardin
Contributor

I believe ed_pfau has answered your question perfectly for reasons why to set inbandwidth and outbandwidth on your WAN interfaces. Here is a table for your connection speed as FortiOS see them: WAN1 20 Mbps Down =20000 Kbps [Kilobit-per-second] New (4.3.x or higher) =2500 KB/sec [Kilobyte-per-second] Old (4.2.x or lower) 2 Mbps Up =2000 Kbps [Kilobit-per-second] New (4.3.x or higher) =250 KB/sec [Kilobyte-per-second] Old (4.2.x or lower) WAN2 5 Mbps Down/Up =5000 Kbps [Kilobit-per-second] New (4.3.x or higher) =625 KB/sec [Kilobyte-per-second] Old (4.2.x or lower) Here is a site that I like to use.: http://www.mediaroad.com/products/speedcheck/free_tools/unit_convert/ I agree with ede_pfau... I like to use medium as well. It gives me the option to set policies that I know are high and I know which need to be a low priority everything else can ride in the middle. config system global set tos-based-priority medium
Eric_Brown
New Contributor

Thanks for your advice (and patience!), everyone. This has all been very helpful. I haven' t made the changes that you recommend yet. I' ll wait until the weekend to do it so that if I break something, I can easily recover.
billp
Contributor

I' ll wait until the weekend to do it so that if I break something, I can easily recover.
sigh. . .the sysadmin' s lament. No rest for the wicked among us :)

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1
Eric_Brown
New Contributor

Just a quick update -- I implemented the changes suggested (and before the weekend, even! I' m such a daredevil...), and everything seems to be running much better than before. We do a lot of uploading to a particular website (http://wistia.com -- I highly recommend it for professional content sharing), so this was really slowing things down for other users. This was especially problematic since we use Google Apps. People need their web-based email to be as snappy and responsive as a local mail client. Setting the inbandwidth, outbandwidth, and traffic priority as suggested above -- in addition to creating an app sensor that prioritizes Google Apps traffic -- has greatly improved user experience. Thanks again for your help!!
Labels
Top Kudoed Authors