Technical Tip: Interface-based traffic shaping with NP acceleration
Products
FortiGate v6.4
Description
This article provides the solution to Interface-based traffic shaping with NP acceleration.
Scope
The examples that follow is given for versions 6.4.0 and 6.4.2.
Solution
Interface-based traffic shaping with NP acceleration is supported on some units.
An administrator configures the WAN interface's maximum outbound bandwidth and, based on that, creates a traffic shaping profile with a percentage based shaper.
This allows for proper QS and traffic shaping.
VLAN interfaces are not supported.

This feature is supported on FortiGate 600E, 500E, and 300E models.

To configure interface-based traffic shaping.

1) Enable NPU offloading when doing interface-based traffic shaping according to the egress-shaping-profile:
 # config system npu
    set intf-shaping-offload enable
 end     
2) Configure shaping profiles.
# config firewall shaping-profile
    edit "sdwan"
        set default-class-id 4
        # config shaping-entries
            edit 1
                set class-id 4
                set guaranteed-bandwidth-percentage 3
                set maximum-bandwidth-percentage 5
            next
            edit 2
                set class-id 3
                set priority medium
                set guaranteed-bandwidth-percentage 50
                set maximum-bandwidth-percentage 100
            next
            edit 3
                set class-id 2
                set priority low
                set guaranteed-bandwidth-percentage 1
                set maximum-bandwidth-percentage 5
            next
        end
    next
end
The class number is limited to 16.

3) Configure a traffic shaper and shaping policy.
# config firewall shaper traffic-shaper
    edit "Transactional"
        set priority medium
    next
end
# config firewall shaping-policy
    edit 1
        set service "ALL"
        set dstintf "any"
        set traffic-shaper "Transactional"
        set class-id 3
        set srcaddr "all"
        set dstaddr "all"
    next
end
4) Apply the egress shaping profile on the interface.

     # config system interface
        edit "port2"
            set vdom "root"
            set ip 10.1.100.23 255.255.255.0
            set allowaccess ping
            set type physical
            set outbandwidth 500
            set egress-shaping-profile "sdwan"
            set snmp-index 4
        next
    end


5) Configure a firewall policy.
# config firewall policy
    edit 3
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
    next
end
Last Modified Date: 08-26-2020 Document ID: FD49668