SD-WAN traffic shaping and QoS
Use a traffic shaper in a firewall shaping policy to control traffic flow. You can use it to control maximum and guaranteed bandwidth, or put certain traffic to one of the three different traffic priorities: high, medium, or low.
An advanced shaping policy can classify traffic into 30 groups. Use a shaping profile to define the percentage of the interface bandwidth that is allocated to each group. Each group of traffic is shaped to the assigned speed limit based on the outgoing bandwidth limit configured on the interface.
For more information, see Traffic shaping.
Sample topology
Sample configuration
This example shows a typical customer usage where the customer's SD-WAN uses the default zone, and has two member: wan1 and wan2, each set to 10Mb/s.
An overview of the procedures to configure SD-WAN traffic shaping and QoS with SD-WAN includes:
- Give HTTP/HTTPS traffic high priority and give FTP low priority so that if there are conflicts, FortiGate will forward HTTP/HTTPS traffic first.
- Even though FTP has low priority, configure FortiGate to give it a 1Mb/s guaranteed bandwidth on each SD-WAN member so that if there is no FTP traffic, other traffic can use all the bandwidth. If there is heavy FTP traffic, it can still be guaranteed a 1Mb/s bandwidth.
- Traffic going to specific destinations such as a VOIP server uses wan1 to forward, and SD-WAN forwards with an Expedited Forwarding (EF) DSCP tag 101110.
To configure SD-WAN traffic shaping and QoS with SD-WAN in the GUI:
- On the FortiGate, add wan1 and wan2 as SD-WAN members, then add a policy and static route.
See SD-WAN quick start.
- Add a firewall policy with Application Control enabled. See Configuring firewall policies for SD-WAN.
- Go to Policy & Objects > Traffic Shapers and edit low-priority.
- Enable Guaranteed Bandwidth and set it to 1000 kbps.
- Go to Policy & Objects > Traffic Shaping Policy and click Create New.
- Name the traffic shaping policy, for example, HTTP-HTTPS.
- Set the following:
Source
all
Destination
all
Service
HTTP and HTTPS
Outgoing
virtual-wan-link
Shared Shaper
Enable and set to high-priority
Reverse Shaper
Enable and set to high-priority
- Click OK.
- Go to Policy & Objects > Traffic Shaping Policy and click Create New.
- Name the traffic shaping policy, for example, FTP.
- Set the following:
Source
all
Destination
all
Service
FTP, FTP_GET, and FTP_PUT
Outgoing
virtual-wan-link
Shared Shaper
Enable and set to low-priority
Reverse Shaper
Enable and set to low-priority
- Click OK
- Go to Network > SD-WAN Rules and click Create New.
- Enter a name for the rule, such as Internet.
- In the Destination section, click Address and select the VoIP server that you created in the firewall address.
- Under Outgoing Interfaces select Manual.
- For Interface preference select wan1.
- Click OK.
- Use CLI commands to modify DSCP settings. See the DSCP CLI commands below.
To configure the firewall policy using the CLI:
connfig firewall policy edit 1 set name "1" set srcintf "dmz" set dstintf "virtual-wan-link" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set ssl-ssh-profile "certificate-inspection" set application-list "default" set nat enable next end
To configure the firewall traffic shaper priority using the CLI:
config firewall shaper traffic-shaper edit "high-priority" set maximum-bandwidth 1048576 set per-policy enable next edit "low-priority" set guaranteed-bandwidth 1000 set maximum-bandwidth 1048576 set priority low set per-policy enable next end
To configure the firewall traffic shaping policy using the CLI:
config firewall shaping-policy edit 1 set name "http-https" set service "HTTP" "HTTPS" set dstintf "virtual-wan-link" set traffic-shaper "high-priority" set traffic-shaper-reverse "high-priority" set srcaddr "all" set dstaddr "all" next edit 2 set name "FTP" set service "FTP" "FTP_GET" "FTP_PUT" set dstintf "virtual-wan-link" set traffic-shaper "low-priority" set traffic-shaper-reverse "low-priority" set srcaddr "all" set dstaddr "all" next end
To configure SD-WAN traffic shaping and QoS with SD-WAN in the CLI:
config system sdwan set status enable config members edit 1 set interface "wan1" set gateway 172.16.20.2 next edit 2 set interface "wan2" set gateway 10.100.20.2 next end config service edit 1 set name "SIP" set priority-members 1 set dst "voip-server" set dscp-forward enable set dscp-forward-tag 101110 next end end
If no SD-WAN zone is specified, members are added to the default virtual-wan-link zone. |
To use the diagnose command to check if specific traffic is attached to the correct traffic shaper:
# diagnose firewall iprope list 100015 policy index=1 uuid_idx=0 action=accept flag (0): shapers: orig=high-priority(2/0/134217728) reply=high-priority(2/0/134217728) cos_fwd=0 cos_rev=0 group=00100015 av=00000000 au=00000000 split=00000000 host=0 chk_client_info=0x0 app_list=0 ips_view=0 misc=0 dd_type=0 dd_mode=0 zone(1): 0 -> zone(2): 36 38 source(1): 0.0.0.0-255.255.255.255, uuid_idx=6, dest(1): 0.0.0.0-255.255.255.255, uuid_idx=6, service(2): [6:0x0:0/(1,65535)->(80,80)] helper:auto [6:0x0:0/(1,65535)->(443,443)] helper:auto policy index=2 uuid_idx=0 action=accept flag (0): shapers: orig=low-priority(4/128000/134217728) reply=low-priority(4/128000/134217728) cos_fwd=0 cos_rev=0 group=00100015 av=00000000 au=00000000 split=00000000 host=0 chk_client_info=0x0 app_list=0 ips_view=0 misc=0 dd_type=0 dd_mode=0 zone(1): 0 -> zone(2): 36 38 source(1): 0.0.0.0-255.255.255.255, uuid_idx=6, dest(1): 0.0.0.0-255.255.255.255, uuid_idx=6, service(3): [6:0x0:0/(1,65535)->(21,21)] helper:auto [6:0x0:0/(1,65535)->(21,21)] helper:auto [6:0x0:0/(1,65535)->(21,21)] helper:auto
To use the diagnose command to check if the correct traffic shaper is applied to the session:
# diagnose sys session list session info: proto=6 proto_state=01 duration=11 expire=3599 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=5 origin-shaper=low-priority prio=4 guarantee 128000Bps max 1280000Bps traffic 1050Bps drops 0B reply-shaper= per_ip_shaper= class_id=0 shaping_policy_id=2 ha_id=0 policy_dir=0 tunnel=/ helper=ftp vlan_cos=0/255 state=may_dirty npu npd os mif route_preserve statistic(bytes/packets/allow_err): org=868/15/1 reply=752/10/1 tuples=2 tx speed(Bps/kbps): 76/0 rx speed(Bps/kbps): 66/0 orgin->sink: org pre->post, reply pre->post dev=39->38/38->39 gwy=172.16.200.55/0.0.0.0 hook=post dir=org act=snat 10.1.100.11:58241->172.16.200.55:21(172.16.200.1:58241) hook=pre dir=reply act=dnat 172.16.200.55:21->172.16.200.1:58241(10.1.100.11:58241) pos/(before,after) 0/(0,0), 0/(0,0) misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=4 serial=0003255f tos=ff/ff app_list=0 app=0 url_cat=0 sdwan_mbr_seq=0 sdwan_service_id=0 rpdb_link_id = 00000000 dd_type=0 dd_mode=0 npu_state=0x100000 npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000 vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0 no_ofld_reason: offload-denied helper total session 1
To use the diagnose command to check the status of a shared traffic shaper:
# diagnose firewall shaper traffic-shaper list name high-priority maximum-bandwidth 131072 KB/sec guaranteed-bandwidth 0 KB/sec current-bandwidth 0 B/sec priority 2 tos ff packets dropped 0 bytes dropped 0 name low-priority maximum-bandwidth 131072 KB/sec guaranteed-bandwidth 125 KB/sec current-bandwidth 0 B/sec priority 4 tos ff packets dropped 0 bytes dropped 0 name high-priority maximum-bandwidth 131072 KB/sec guaranteed-bandwidth 0 KB/sec current-bandwidth 0 B/sec priority 2 policy 1 tos ff packets dropped 0 bytes dropped 0 name low-priority maximum-bandwidth 131072 KB/sec guaranteed-bandwidth 125 KB/sec current-bandwidth 0 B/sec priority 4 policy 2 tos ff packets dropped 0 bytes dropped 0