Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vhitnal
Staff
Staff

Created on ‎08-26-2020 01:52 AM

Article Id 190298

Technical Tip: Interface-based traffic shaping with NP acceleration

Description
This article provides the solution to Interface-based traffic shaping with NP acceleration.

Scope
The examples that follow is given for versions 6.4.0 and 6.4.2.

Solution
Interface-based traffic shaping with NP acceleration is supported on some units.
An administrator configures the WAN interface's maximum outbound bandwidth and, based on that, creates a traffic shaping profile with a percentage based shaper.
This allows for proper QS and traffic shaping.
VLAN interfaces are not supported.
This feature is supported on FortiGate 600E, 500E, and 300E models.

To configure interface-based traffic shaping.

1) Enable NPU offloading when doing interface-based traffic shaping according to the egress-shaping-profile:
 # config system npu
    set intf-shaping-offload enable
 end     
2) Configure shaping profiles.
# config firewall shaping-profile
    edit "sdwan"
        set default-class-id 4
        # config shaping-entries
            edit 1
                set class-id 4
                set guaranteed-bandwidth-percentage 3
                set maximum-bandwidth-percentage 5
            next
            edit 2
                set class-id 3
                set priority medium
                set guaranteed-bandwidth-percentage 50
                set maximum-bandwidth-percentage 100
            next
            edit 3
                set class-id 2
                set priority low
                set guaranteed-bandwidth-percentage 1
                set maximum-bandwidth-percentage 5
            next
        end
    next
end
The class number is limited to 16.

3) Configure a traffic shaper and shaping policy.
# config firewall shaper traffic-shaper
    edit "Transactional"
        set priority medium
    next
end
# config firewall shaping-policy
    edit 1
        set service "ALL"
        set dstintf "any"
        set traffic-shaper "Transactional"
        set class-id 3
        set srcaddr "all"
        set dstaddr "all"
    next
end
4) Apply the egress shaping profile on the interface.

     # config system interface
        edit "port2"
            set vdom "root"
            set ip 10.1.100.23 255.255.255.0
            set allowaccess ping
            set type physical
            set outbandwidth 500
            set egress-shaping-profile "sdwan"
            set snmp-index 4
        next
    end

5) Configure a firewall policy.
# config firewall policy
    edit 3
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
    next
end

Labels:
1775
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.