Technical Tip : Traffic shaping in FortiOS v4.0 : configuration and troubleshooting

(**) Default value of disable applies for all policies using this configuration.
 If set per-policy is enabled, the behavior is to use independent traffic shaping configurations per policy.

Attach a traffic shaping configuration to a Firewall Policy

 

config firewall policy

    edit 1

        set srcintf "port5"

        set dstintf "port6"

            set srcaddr "VM11"

            set dstaddr "VM5"

        set action accept

        set schedule "always"

            set service "ANY"

        set traffic-shaper "limit_GB_25_MB_50_LQ"

    next

end

 

In the web-based manager, you can see the results by going to Firewall > Traffic Shaping.

  

2- Traffic Shaping for reverse traffic

FortiOS 4.0 enables you to have separate shapers for reverse traffic on a Firewall Policy.With FortiOS 3.0, the reverse traffic was shaped with the same shaper profile as the originating traffic.

To configure it using the CLI, enter the following commands

config firewall policy
    edit 4
        set srcintf "port2"
        set dstintf "port6"
            set srcaddr "VM3"
            set dstaddr "VM6"
        set action accept
        set schedule "always"
            set service "ANY"
        set traffic-shaper "limit_GB_25_MB_50_LQ"
        set traffic-shaper-reverse "limit_GB_12_MB_25_LQ"
    next
end

3- The P2P shaping are defined at the application control level

In FortiOS version 3.0, the P2P traffic limits were defined at the protection profile level

To configure P2P shaping in FortiOS 4.0

1. Create the appropriate traffic shaper as outlined above.
2. Create an Application Control List that uses this traffic shaper.

To configure in the CLI, enter the following commands:

config application list
    edit "My P2P application"
            config entries
                edit 1
                    set action pass
                    set application 9
                    set category 2
                    set shaper "My P2P shaper"
                    set shaper-reverse "My P2P shaper"
                next
            end
    next
end

4- Troubleshooting packet loss with statistics on shapers

For each shaper there are counters that allow to verify if packets have been discarded.

To view this information, in the CLI, enter the command diagnose firewall shaper.

The results will look similar to the following output:

FGT# diagnose firewall shaper

name limit_GB_25_MB_50_LQ
maximum-bandwidth 50 KB/sec
guaranteed-bandwidth 25 KB/sec
current-bandwidth 51 KB/sec
priority 3
dropped 1291985

Note The diagnose command output is different if the shapers are configured either per-policy or shared between policies.
Below is an example where two polices are using the same shaper, as the shaper is per-policy, it maintains separate statistics entries:

5- Troubleshooting packet lost with the debug flow

When using the debug flow diagnostic command, there is a specific message information that a packet has exceed the shaper limits and therefor discarded:

FGT# diagnose debug flow  show  console  enable
FGT# diagnose debug flow filter addr 10.143.0.5
FGT# diagnose debug flow trace start 1000

id=20085 trace_id=11 msg="vd-root received a packet(proto=17, 10.141.0.11:3735->10.143.0.5:5001) from port5."
id=20085 trace_id=11 msg="Find an existing session, id-0000eabc, original direction"
id=20085 trace_id=11 msg="exceeded shaper limit, drop"

6- Session list details with dual traffic shaper (originating and reverse traffic)

When a Firewall Policy has a different traffic shaper for each direction, it is reflected in the session list output from the CLI :

diagnose sys session list

session info: proto=6 proto_state=02 expire=115 timeout=3600 flags=00000000 sock
flag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=Limit_25Mbps prio=1 guarantee 25600/sec max 204800/sec traffic 48/sec
reply-shaper=Limit_100Mbps prio=1 guarantee 102400/sec max 204800/sec traffic 0/sec
ha_id=0 hakey=44020
policy_dir=0 tunnel=/
state=may_dirty rem os rs
statistic(bytes/packets/allow_err): org=96/2/1 reply=0/0/0 tuples=2
orgin->sink: org pre->post, reply pre->post dev=2->3/3->2 gwy=10.160.0.1/0.0.0.0
hook=pre dir=org act=dnat 192.168.171.243:2538->192.168.182.110:80(10.160.0.1:80)
hook=post dir=reply act=snat 10.160.0.1:80->192.168.171.243:2538(192.168.182.110:80)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=2 auth_info=0 chk_client_info=0 vd=0 serial=00011e81 tos=ff/ff app=0 dd_type=0 dd_rule_id=0

Additional Information

• Packets discarded by the shaper impact flow-control mechanisms like TCP ; For more accurate testing results prefer UDP protocol.
• Traffic shaping accuracy is optimum for Firewall Policies without a protection profile where no Fortigate Proxy (content inspection) is processed.
• Do not oversubscribe an outbandwith throughput, for example, sum[guaranteed BW] < outbandwith. For accuracy in bandwidth calculation, it is required to set the "outbandwidth" parameter on the interfaces (see related article "Technical Note: Traffic shaping and outbandwidth parameter for Guaranteed and Max bandwidth")
• Fortigate is not prioritizing traffic based on the DSCP marking configured on the Firewall Policy. However, ToS based prioritizing can be made at ingress. See the related article "Differentiated Services Code Point (DSCP) behavior" for more information on this topic.