Interface-based shaping profiles and monitoring
The traffic monitor now supports interface-based shaping profiles.
The traffic shaping profiles feature is available for central management and per-device management of SD-WAN networks. It is available for ADOM versions 6.2 and 6.4.
This topic contains the following sections:
- Configuring traffic shaping profiles
- Monitoring traffic shaping
- Configuring traffic shaping with the CLI
Configuring traffic shaping profiles
This procedure assumes that you have already configured an SD-WAN network. In order to use traffic shaping profiles, you must perform a number of steps before you can install traffic shaping profiles via a policy package to FortiGate devices in an SD-WAN network.
To configure traffic shaping profiles:
- Configure shaping profiles:
- Go to Policy & Objects > Object Configurations > Firewall Objects > Shaping Profile.
- Click Create New, and create a shaping profile.
- Go to Policy & Objects > Object Configurations > Firewall Objects > Shaping Profile.
- Create shaping groups and traffic shaping class ID.
- Click Create New in the Additional Shaping Groups table.
- Configure the Guaranteed Bandwidth, Maximum Bandwidth, and Priority for the shaping group.
- Click the Traffic Shaping Class ID dropdown and select a traffic class, or click the Add button to create a new traffic class.
- Assign shaping profiles to interfaces:
- Go to Policy & Objects > Object Configurations > Zone/Interface > Interface.
- In the content pane, double-click an interface to open it for editing.
- Map the shaping profile to a device or group.
- Create an IPv4 policy for the SD-WAN network.
- Create a traffic shaping policy:
- Go to Policy & Objects > Policy Packages > Traffic Shaping Policy.
The traffic shaping policies are displayed.
- Click Create New.
- Select Assign Group as the Then > Action, and in the Traffic Shaping Class ID box, select the class ID object that you created, and set the remaining options as desired.
- Go to Policy & Objects > Policy Packages > Traffic Shaping Policy.
- Install the IPv4 and traffic shaping policies to the FortiGate devices in the SD-WAN network.
After the policies are installed, you can use monitor traffic shaping.
Monitoring traffic shaping
To monitor traffic shaping:
- Go to Device Manager > Device & Groups.
- In the tree menu, select the device group, for example, Managed Devices.
The list of devices display in the content pane and in the bottom tree menu.
- In the bottom tree menu, select a device.
The System: Dashboard for the device displays in the content pane.
- Go to Monitor: Traffic Shaping.
This option may need to be enabled in Display Options before it is available.
Graphs of Bandwidth and Dropped Bytes are displayed. Below the graphs you can view the Class ID, Guaranteed Bandwidth(Kbps), Maximum Bandwidth(Kbps), and Application.
- Select a different port from the list.
The graphs and information update.
- Change the refresh interval between every 5/10/15/20/30 minutes or Manual Refresh.
- You can enable or disable data history by using the CLI.
config system admin setting
set sdwan-monitor-history enable/disable
end
By default,
sdwan-monitor-historyis set todisable, and you can view the last 10 minutes data of data. The request/response data is retrieved directly from FortiGate. You can check/var/rtm/historyfor log files.When you set
sdwan-monitor-historytoenable, you can view data for last 24/12/6/1/N hours, or you can customize the time up to a maximum of 180 days. You can check/var/rtm/historyfor log files to be appended every 5 minutes.
|
In 6.4.3 and later, the traffic shaping monitor can be added as a widget in the device database's Dashboard page. |
Configuring traffic shaping with the CLI
This procedure assumes that you have already configured an SD-WAN network.
To configure traffic shaping with the CLI:
- Create traffic class objects:
config firewall traffic-class
edit 2
set class-name "2"
next
edit 3
set class-name "3"
next
edit 4
set class-name "4"
next
edit 5
set class-name "5"
next
edit 6
set class-name "6"
next
end
- Configure shaping profiles:
Use the class ID created in the previous step.
config firewall shaping-profile
edit "egress"
set default-class-id 2
config shaping-entries
edit 1
set class-id 2
set priority low
set guaranteed-bandwidth-percentage 5
set maximum-bandwidth-percentage 20
next
edit 3
set class-id 3
set priority medium
set guaranteed-bandwidth-percentage 10
set maximum-bandwidth-percentage 30
next
edit 4
set class-id 4
set guaranteed-bandwidth-percentage 15
set maximum-bandwidth-percentage 40
next
edit 2
set class-id 5
set priority critical
set guaranteed-bandwidth-percentage 20
set maximum-bandwidth-percentage 50
next
edit 5
set class-id 6
set priority top
set guaranteed-bandwidth-percentage 25
set maximum-bandwidth-percentage 60
next
end
next
edit "ingress"
set default-class-id 3
config shaping-entries
edit 1
set class-id 3
set priority medium
set guaranteed-bandwidth-percentage 30
set maximum-bandwidth-percentage 50
next
edit 2
set class-id 5
set guaranteed-bandwidth-percentage 50
set maximum-bandwidth-percentage 80
next
end
next
end
- Assign shaping profiles to interfaces:
Use the shaping profile created in the previous step.
config system interface
...
edit "port2"
set vdom "root"
set ip 172.20.11.9 255.255.255.0
set allowaccess ping https ssh http
set type physical
set inbandwidth 100
set outbandwidth 100
set egress-shaping-profile "egress"
set estimated-upstream-bandwidth 15000
set estimated-downstream-bandwidth 15000
set role wan
set snmp-index 2
set ingress-shaping-profile "ingress"
next
edit "port3"
set vdom "root"
set ip 172.20.12.9 255.255.255.0
set allowaccess ping ssh
set type physical
set inbandwidth 500
set outbandwidth 500
set egress-shaping-profile "egress"
set estimated-upstream-bandwidth 500
set estimated-downstream-bandwidth 500
set role wan
set snmp-index 3
set ingress-shaping-profile "ingress"
next
...
edit "vpn_dc1-1"
set vdom "root"
set ip 10.254.30.2 255.255.255.255
set allowaccess ping
set type tunnel
set egress-shaping-profile "egress"
set remote-ip 10.254.30.1 255.255.255.0
set estimated-upstream-bandwidth 100
set estimated-downstream-bandwidth 50
set role wan
set snmp-index 113
set interface "port2"
set ingress-shaping-profile "ingress"
next
edit "vpn_dc1-2"
set vdom "root"
set ip 10.254.31.2 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 10.254.31.1 255.255.255.0
set estimated-upstream-bandwidth 15000
set estimated-downstream-bandwidth 500
set role wan
set snmp-index 114
set interface "port3"
next
end
- Create an IPv4 policy for the SD-WAN network.
- Create a traffic shaping policy:
Use the class ID created in previous steps.
config firewall shaping-policy
edit 1
set name "default"
set service "ALL"
set application 15832 16001 16331
set dstintf "port2" "port3" "vpn_dc1-1"
set class-id 2
set srcaddr "all"
set dstaddr "all"
next
edit 2
set name "shaping-ftp"
set service "ALL"
set application 27210 16541 16354 38924
set dstintf "port3" "port2" "vpn_dc1-1"
set class-id 3
set srcaddr "all"
set dstaddr "all"
next
edit 3
set name "http"
set service "ALL"
set application 16365 15896 152305673 16253
set dstintf "port2" "port3" "vpn_dc1-1"
set class-id 4
set srcaddr "all"
set dstaddr "all"
next
edit 4
set name "5"
set service "ALL"
set application 16103 16104 16074
set dstintf "port2" "port3" "vpn_dc1-1"
set class-id 5
set srcaddr "all"
set dstaddr "all"
next
edit 5
set name "6"
set service "ALL"
set application 16213 152305672 16270
set dstintf "port3" "port4" "vpn_dc1-1"
set class-id 6
set srcaddr "all"
set dstaddr "all"
next
end
- Install the IPv4 and traffic shaping policies to the FortiGate devices in the SD-WAN network.
After the policies are installed, you can use monitor traffic shaping.