Traffic Shaping With Fortigate
FortiGate v4.0
Description
This article describes the Traffic Shaping features that have been implemented in FortiOS 4.0
In FortiOS version 4.0, the traffic shaping has been enhanced. Diagnose commands allowing to verify each traffic shaper's usage and giving more configuration flexibility.
See also the related articles at the end of this page for additional information.
Solution
Summary
1- Traffic shaping configuration is dissociated from the Firewall policies allowing multiple policies to use common configurations
2- Possibility to use independent configurations in policies for forward and reverse traffic directions
3- The P2P shaping capabilities are now defined at the application control level
4- Troubleshooting packet loss with statistics on traffic shaping configurations
5- Troubleshooting packet loss with the debug flow diagnose commands
6- Session list details with dual traffic shaper (forward and reverse traffic)
1- Traffic shaping configuration is dissociated from the Firewall policies
Configure traffic shaping from the CLI :
config firewall traffic-shaper
edit "limit_GB_25_MB_50_LQ"
set guaranteed-bandwidth 25
set maximum-bandwidth 50
set priority low
set per-policy enable (*)
next
end
(*) default value of disable applies for all policies using this configuration.
If set per-policy is enabled, the behavior is to use independent traffic shaping configurations per policy.
Attach a traffic shaping configuration to a Firewall Policy
config firewall policy
edit 1
set srcintf "port5"
set dstintf "port6"
set srcaddr "VM11"
set dstaddr "VM5"
set action accept
set schedule "always"
set service "ANY"
set traffic-shaper "limit_GB_25_MB_50_LQ"
next
end
In the web-based manager, you can see the results by going to Firewall > Traffic Shaping.
Select Edit to view the new options for each shaper, which include Per policy and For all Policies.
2- Traffic Shaping for reverse traffic
FortiOS 4.0 enables you to have separate shapers for reverse traffic on a Firewall Policy.With FortiOS 3.0, the reverse traffic was shaped with the same shaper profile as the originating traffic.
To configure it using the CLI, enter the following commands
config firewall policy
edit 4
set srcintf "port2"
set dstintf "port6"
set srcaddr "VM3"
set dstaddr "VM6"
set action accept
set schedule "always"
set service "ANY"
set traffic-shaper "limit_GB_25_MB_50_LQ"
set traffic-shaper-reverse "limit_GB_12_MB_25_LQ"
next
end
3- The P2P shaping are defined at the application control level
In FortiOS version 3.0, the P2P traffic limits were defined at the protection profile level
To configure P2P shaping in FortiOS 4.0
1. Create the appropriate traffic shaper as outlined above.
2. Create an Application Control List that uses this traffic shaper.
To configure in the CLI, enter the following commands:
config application list
edit "My P2P application"
config entries
edit 1
set action pass
set application 9
set category 2
set shaper "My P2P shaper"
set shaper-reverse "My P2P shaper"
next
end
next
end
4- Troubleshooting packet loss with statistics on shapers
For each shaper there are counters that allow to verify if packets have been discarded.
To view this information, in the CLI, enter the command diagnose firewall shaper.
The results will look similar to the following output:
FGT# diagnose firewall shaper
name limit_GB_25_MB_50_LQ
maximum-bandwidth 50 KB/sec
guaranteed-bandwidth 25 KB/sec
current-bandwidth 51 KB/sec
priority 3
dropped 1291985
Note The diagnose command output is different if the shapers are configured either per-policy or shared between policies.
Below is an example where two polices are using the same shaper, as the shaper is per-policy, it maintains separate statistics entries:
5- Troubleshooting packet lost with the debug flow
When using the debug flow diagnostic command, there is a specific message information that a packet has exceed the shaper limits and therefor discarded:
FGT# diagnose debug flow show console enable
FGT# diagnose debug flow filter addr 10.143.0.5
FGT# diagnose debug flow trace start 1000
id=20085 trace_id=11 msg="vd-root received a packet(proto=17, 10.141.0.11:3735->10.143.0.5:5001) from port5."
id=20085 trace_id=11 msg="Find an existing session, id-0000eabc, original direction"
id=20085 trace_id=11 msg="exceeded shaper limit, drop"
6- Session list details with dual traffic shaper (originating and reverse traffic)
When a Firewall Policy has a different traffic shaper for each direction, it is reflected in the session list output from the CLI :
diagnose sys session list
session info: proto=6 proto_state=02 expire=115 timeout=3600 flags=00000000 sock
flag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=Limit_25Mbps prio=1 guarantee 25600/sec max 204800/sec traffic 48/sec
reply-shaper=Limit_100Mbps prio=1 guarantee 102400/sec max 204800/sec traffic 0/sec
ha_id=0 hakey=44020
policy_dir=0 tunnel=/
state=may_dirty rem os rs
statistic(bytes/packets/allow_err): org=96/2/1 reply=0/0/0 tuples=2
orgin->sink: org pre->post, reply pre->post dev=2->3/3->2 gwy=10.160.0.1/0.0.0.0
hook=pre dir=org act=dnat 192.168.171.243:2538->192.168.182.110:80(10.160.0.1:80)
hook=post dir=reply act=snat 10.160.0.1:80->192.168.171.243:2538(192.168.182.110:80)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=2 auth_info=0 chk_client_info=0 vd=0 serial=00011e81 tos=ff/ff app=0 dd_type=0 dd_rule_id=0
Additional Information
• Packets discarded by the shaper impact flow-control mechanisms like TCP ; For more accurate testing results prefer UDP protocol.
• Traffic shaping accuracy is optimum for Firewall Policies without a protection profile where no Fortigate Proxy (content inspection) is processed.
• Do not oversubscribe an outbandwith throughput, for example, sum[guaranteed BW] < outbandwith. For accuracy in bandwidth calculation, it is required to set the "outbandwidth" parameter on the interfaces (see related article "Technical Note: Traffic shaping and outbandwidth parameter for Guaranteed and Max bandwidth")
• Fortigate is not prioritizing traffic based on the DSCP marking configured on the Firewall Policy. However, ToS based prioritizing can be made at ingress. See the related article "Differentiated Services Code Point (DSCP) behavior" for more information on this topic.
Description
This article describes the Traffic Shaping features that have been implemented in FortiOS 4.0
In FortiOS version 4.0, the traffic shaping has been enhanced. Diagnose commands allowing to verify each traffic shaper's usage and giving more configuration flexibility.
See also the related articles at the end of this page for additional information.
Solution
Summary
1- Traffic shaping configuration is dissociated from the Firewall policies allowing multiple policies to use common configurations
2- Possibility to use independent configurations in policies for forward and reverse traffic directions
3- The P2P shaping capabilities are now defined at the application control level
4- Troubleshooting packet loss with statistics on traffic shaping configurations
5- Troubleshooting packet loss with the debug flow diagnose commands
6- Session list details with dual traffic shaper (forward and reverse traffic)
1- Traffic shaping configuration is dissociated from the Firewall policies
Configure traffic shaping from the CLI :
config firewall traffic-shaper
edit "limit_GB_25_MB_50_LQ"
set guaranteed-bandwidth 25
set maximum-bandwidth 50
set priority low
set per-policy enable (*)
next
end
(*) default value of disable applies for all policies using this configuration.
If set per-policy is enabled, the behavior is to use independent traffic shaping configurations per policy.
Attach a traffic shaping configuration to a Firewall Policy
config firewall policy
edit 1
set srcintf "port5"
set dstintf "port6"
set srcaddr "VM11"
set dstaddr "VM5"
set action accept
set schedule "always"
set service "ANY"
set traffic-shaper "limit_GB_25_MB_50_LQ"
next
end
In the web-based manager, you can see the results by going to Firewall > Traffic Shaping.
Select Edit to view the new options for each shaper, which include Per policy and For all Policies.
2- Traffic Shaping for reverse traffic
FortiOS 4.0 enables you to have separate shapers for reverse traffic on a Firewall Policy.With FortiOS 3.0, the reverse traffic was shaped with the same shaper profile as the originating traffic.
To configure it using the CLI, enter the following commands
config firewall policy
edit 4
set srcintf "port2"
set dstintf "port6"
set srcaddr "VM3"
set dstaddr "VM6"
set action accept
set schedule "always"
set service "ANY"
set traffic-shaper "limit_GB_25_MB_50_LQ"
set traffic-shaper-reverse "limit_GB_12_MB_25_LQ"
next
end
3- The P2P shaping are defined at the application control level
In FortiOS version 3.0, the P2P traffic limits were defined at the protection profile level
To configure P2P shaping in FortiOS 4.0
1. Create the appropriate traffic shaper as outlined above.
2. Create an Application Control List that uses this traffic shaper.
To configure in the CLI, enter the following commands:
config application list
edit "My P2P application"
config entries
edit 1
set action pass
set application 9
set category 2
set shaper "My P2P shaper"
set shaper-reverse "My P2P shaper"
next
end
next
end
4- Troubleshooting packet loss with statistics on shapers
For each shaper there are counters that allow to verify if packets have been discarded.
To view this information, in the CLI, enter the command diagnose firewall shaper.
The results will look similar to the following output:
FGT# diagnose firewall shaper
name limit_GB_25_MB_50_LQ
maximum-bandwidth 50 KB/sec
guaranteed-bandwidth 25 KB/sec
current-bandwidth 51 KB/sec
priority 3
dropped 1291985
Note The diagnose command output is different if the shapers are configured either per-policy or shared between policies.
Below is an example where two polices are using the same shaper, as the shaper is per-policy, it maintains separate statistics entries:
5- Troubleshooting packet lost with the debug flow
When using the debug flow diagnostic command, there is a specific message information that a packet has exceed the shaper limits and therefor discarded:
FGT# diagnose debug flow show console enable
FGT# diagnose debug flow filter addr 10.143.0.5
FGT# diagnose debug flow trace start 1000
id=20085 trace_id=11 msg="vd-root received a packet(proto=17, 10.141.0.11:3735->10.143.0.5:5001) from port5."
id=20085 trace_id=11 msg="Find an existing session, id-0000eabc, original direction"
id=20085 trace_id=11 msg="exceeded shaper limit, drop"
6- Session list details with dual traffic shaper (originating and reverse traffic)
When a Firewall Policy has a different traffic shaper for each direction, it is reflected in the session list output from the CLI :
diagnose sys session list
session info: proto=6 proto_state=02 expire=115 timeout=3600 flags=00000000 sock
flag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=Limit_25Mbps prio=1 guarantee 25600/sec max 204800/sec traffic 48/sec
reply-shaper=Limit_100Mbps prio=1 guarantee 102400/sec max 204800/sec traffic 0/sec
ha_id=0 hakey=44020
policy_dir=0 tunnel=/
state=may_dirty rem os rs
statistic(bytes/packets/allow_err): org=96/2/1 reply=0/0/0 tuples=2
orgin->sink: org pre->post, reply pre->post dev=2->3/3->2 gwy=10.160.0.1/0.0.0.0
hook=pre dir=org act=dnat 192.168.171.243:2538->192.168.182.110:80(10.160.0.1:80)
hook=post dir=reply act=snat 10.160.0.1:80->192.168.171.243:2538(192.168.182.110:80)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=2 auth_info=0 chk_client_info=0 vd=0 serial=00011e81 tos=ff/ff app=0 dd_type=0 dd_rule_id=0
Additional Information
• Packets discarded by the shaper impact flow-control mechanisms like TCP ; For more accurate testing results prefer UDP protocol.
• Traffic shaping accuracy is optimum for Firewall Policies without a protection profile where no Fortigate Proxy (content inspection) is processed.
• Do not oversubscribe an outbandwith throughput, for example, sum[guaranteed BW] < outbandwith. For accuracy in bandwidth calculation, it is required to set the "outbandwidth" parameter on the interfaces (see related article "Technical Note: Traffic shaping and outbandwidth parameter for Guaranteed and Max bandwidth")
• Fortigate is not prioritizing traffic based on the DSCP marking configured on the Firewall Policy. However, ToS based prioritizing can be made at ingress. See the related article "Differentiated Services Code Point (DSCP) behavior" for more information on this topic.
Comments
Post a Comment