Fortinet Fortigate-5000 series Administration Manual page 225

Firewall Policy
1
2
3
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Traffic shaping which is applied to a firewall policy, is enforced for traffic which
may flow in either direction. Therefore a session which may be setup by an
internal host to an external one, via a Internal -> External policy, will have Traffic
shaping applied even if the data stream is then coming from external to internal.
For example, an FTP "get" or a SMTP server connecting to an external one, in
order to retrieve email.
Also note that traffic shaping is effective for normal IP traffic at normal traffic rates.
Traffic shaping is not effective during extremely high-traffic situations where the
traffic is exceeding the FortiGate unit's capacity. Packets must be received by the
FortiGate unit before they are subject to traffic shaping. If the FortiGate unit
cannot process all of the traffic it receives, then dropped packets, delays, and
latency are likely to occur.
To ensure that traffic shaping is working at its best, ensure that the interface
ethernet statistics are clean of errors, collisions or buffer overruns. If these are not
clean, then FortiGate and switch settings may require adjusting.
To make traffic shaping work efficiently, be sure to observe the following rules:
• Enable traffic shaping on all firewall policies. If you do not apply any traffic
shaping rule to a policy, the policy is set to high priority by default.
• Distribute firewall policies over all three priority queues (low, medium and
high).
Be sure that the sum of all Guaranteed Bandwidth in all firewall policies is
significantly less than the bandwidth capacity of the interface.Configuring
FortiGate traffic shaping
You enable and specify traffic shaping settings when you configure firewall
policies.
To configure traffic shaping
Go to Firewall > Policy.
When you create a new policy or edit a policy, select the Traffic Shaping option.
Configure the following three options:
Guaranteed Use traffic shaping to guarantee the amount of bandwidth available
through the firewall for a policy. Guarantee bandwidth (in Kbytes) to
Bandwidth
ensure there is enough bandwidth available for a high-priority service.
Be sure that the sum of all Guaranteed Bandwidth in all firewall policies
is significantly less than the bandwidth capacity of the interface.
Maximum Use traffic shaping to limit the amount of bandwidth available through
the firewall for a policy. Limit bandwidth to keep less important services
Bandwidth
from using bandwidth needed for more important services.
Traffic Priority Select High, Medium, or Low. Select Traffic Priority so the FortiGate unit
manages the relative priorities of different types of traffic. For example,
a policy for connecting to a secure web server needed to support
e-commerce traffic should be assigned a high traffic priority. Less
important services should be assigned a low priority. The firewall
provides bandwidth to low-priority connections only when bandwidth is
not needed for high-priority connections.
Be sure to enable traffic shaping on all firewall policies. If you do not
apply any traffic shaping rule to a policy, the policy is set to high priority
by default.
Distribute firewall policies over all three priority queues.
Configuring firewall policies
225