FortiGate Traffic Shaping Feature

[Music] good morning welcome to network 360 channel in this video we are covering fortigate traffic shaping feature we are using fortigate 61e hardware and firmware version is 7.0.1 the roadmap summary of this video first we will cover small little little of basics of qas quality of service then second step we will do the walkthrough configuration of traffic shaping then the third we will verify using the speedtest.net the fourth we will do the troubleshooting and verify using the cli this is our roadmap [Music] the basics of skewers the basics of qos it's it's a standard and it's not not only for 40 gig it's normally it's open standard and it's using for all the cisco or juniper or any other vendor the steps main steps main main parameters of q is is bandwidth delay jitter and loss this is the parameters basically for the for the qos parameters and we can do in q in uh the class of qos in the two way layer two on layer three layer two is eight zero two dot one p class of services and line three dhcp and type of services uh we are using in firewall mostly we are using the dhcp value in in general idf standard and open standard layer 3 traffic shaping we are using in fortigate also we are using the layer 3 traffic shaping let's say one packet is entering into your firewall or any l3 device the qos process is starting from there first it will do the admission control admission control what you what will check okay this packet is it's uh uh we have to admit or not into the packet flow if it's if there is a queue length and q is okay the packet size whatever other parameters then the packet will be entering into the into the flow next is a classification we have to classify what type of what type of packet that one its high priority low priority or default default priority or best effort after the classification we will do the marking and policy where the marking and policing means we will do the markdowns let's say some algorithm we will use it how is the packet we will we will process the packet uh let's uh leaky bucket or token based fortigate is using fortigate bay 48 is using token based uh token-based bucketing bucket that is a policy mechanism how it is working we will we will let's say you you configured one of one of the policy 192.16810 192.168.10.21 it's guaranteed bandwidth and maximum bandwidth guaranteed bandwidth you give one one mb so one mb token will be already allocated to the to the firewall so whenever the packet is coming the same time same time the the packet will process and it will exit from the uh it will exit to the next queue for the scheduling and traffic shaping other other works it will you know it will the packet will flow to the next step uh you can you can google it the algorithm is as for my knowledge it is using token b token bucket based algorithm for the policy then the uh after the policing then the queueing and scheduling let's say we have the three three queues if you if you open here you can see high low medium cues so high high q always very you know the little time that is delay will be very very sensitive so high high priority queue will be passed within the without any delay so the the queueing and scheduling mechanism will do the the same thing is using the same way it is for common for the old qos mechanism the last step is traffic shaping traffic shaping we can do the policing or shaping normally we will do the shaping and the fortigate is using shaping traffic shaping then it will exit on the packet will exit on the exit interface when when we are classifying the packet when we are classifying the packet to be broadly we have two type of classification one is the network control traffic that is a high priority one your normal network controls type of packets the second one is user and data traffic user and data traffic normally subdivided in ietf mode model for four different categories based on the bitrate constant bit rate uh constant bit rate up based on the application constant bit rate applications like voice over ip communication then the constant bit rate real time voice over ip call then the variable bitrate the interactive videos that are that also real-time then the uh other one iptv or streaming that is third one the last one is best best effort this is the uh this is the four from for classification then once we classified the packet then we will do the queueing policing and based on the sorry scheduling we will do the traffic shaping and exiting the traffic this is the basics of the qos very very basic if you want to know more we can do another one more video so let let let me go to the configuration part traffic shaping normally we have to apply most of the organizations because we have to prioritize some traffic based on your business it may be office 365 traffic or salesforce traffic or voice over ip based on your your business requirement you have to do prioritize some of the traffic otherwise what will happen some of the uses will will download huge amount of data it will spike it will utilize all the channel all the your internet channel my lab i am using 10 mbps line so we will do the walkthrough how we can configure how we can verify and how we can troubleshoot we can do the walkthrough and you will get a good knowledge about the draft shaping basically fortigate having three type of craft shaping you can see from the traffic poles policy and object traffic shaping first type is shared second type is pair ip and third one is interface based this is traffic shaping profile this is interface based so we will create a we will create now and we will do the testing i'm creating shade so let me do two mega bits okay we'll give quality of service i'm giving the priority high [Applause] maximum bandwidth i'm giving 2 mbps so it's kilobits so mb we have to do okay guaranteed one thousand dhcp we are not using basically fortigate is a per-hook based qos mechanism is applying this this all is per hop base because what is pearl based when you are applying traffic shaping here it will apply only over the over that 48 degrees let's say in your organization you have two three or four firewalls the you have two firewalls from fortigate and exit firewall from the cisco or palo alto or checkpoint then we can use a dhcp value dhcp value once you applied here it will apply on the l3 of the packet type of services so the the chart you will get and based on the priority you can you can make here the high priority if it's a voice traffic you can put a 41 something you can just google it so you will get that dhcp value if you apply the dhcp value it will forward to the next next device because this is upper standard okay on on this exercise we are not using dhcp okay 2mb is maximum bandwidth 1 mb is guaranteed bandwidth gonna be guaranteed bandwidth you remember when we discussed about the uh about the basics uh i told you the policing time we can make a leaky bucket so basically leaky bucket token token based relay market so basically what will happen uh we will give the the the uh based on this guaranteed bandwidth we will allocate the bandwidth so whenever the packet is coming okay tokens available if the token is available then at the same time packet will exit so shared one we created 2mb be shared okay now the second part we have to apply create a policy here in my case i'm using all too old because i'll after this i will go to the policy say lab setup schedule always services i'm giving all here you if you want let's say before we discuss normal organizations they want to do uh you know control based on the application you can do you will get youtube or office 365 based on based on the application you can do or url category also like you want to you want to allocate only uh 2mb for the this category you can do business category you can allocate 2mb so the lab purpose i'm giving i'm not selecting and my exit is in the van one place shaper i'm using the shade 2mb shade reverse also why we have to put in the reverse also because when you are streaming a video you are you are giving get comment after that you are getting all the all the contents downloading so we have to do both direction forward direction reverse direction also in this case we applied to mbbs shade okay so we created and we we created traffic shape shared traffic shape after that applied to the we applied a traffic shipping profile here if you want you can you can specify uh based on your requirement source and destination addresses or services whatever it's in lab purpose i'm going just gone through options is available okay so done so we will do the we will go to the speed speed test we will check how we are getting before that i will go to the firework policy i am using the wi-fi all tool is allowed only one policy so we will go to the uh speed test we will disable the policy and we will check it out what is the current full pipe i am getting before applying qos or traffic shipping okay as i told you my uh my lab internet speed is 10 mb okay i can i am getting 9.4 mb so now we are we created 2mb shade and we are enabling that one we will redo the test again we configured 1mb as the guaranteed bandwidth and 2mb max 1.7 so we can see that 1.7 we already applied the traffic shaping now what we will do we will do the diagnosing using cli for that we have to check it out section table session table we can see which policy supplied traffic shaping policies applied what is the guaranteed and what is the maximum bandwidth and what bit is now is going on all the things diagnose system session filter src 192.6810.4 destination port 443 system list the list so let's say one one session details we are using the shared 2mb and the sure this is a shared original origin and a revised forward and rubbish guaranteed max traffic drops so this is the one dropped so we can see that it is already applied and we are getting the result also shaping policy id we can see the policy 81 so before continue we can do small small modification on the traffic shaping policy so we can see okay the policy id is one so which one okay so for that we have to click here go to id up play better to move to left okay shaping policy id and this is the bits dropping and this is the details so we are we are using the policy id1 next next to traffic shaping uh next one is per ip where i be what i will do i will create 5 mp maximum bandwidth per ip 5 mp i am not using the concurrent connection congruent tcp or udp i am not using dhcp value i am just specifying the 5000 uh kpbs that's 5 mb for each each ip okay once i create it then i will go to the traffic shaping policies create b scroll to all schedule always service i'm giving all application that on the on the side which i told you here you have all the options you can you can granular based you can do the traffic shaping in my lab i'm not doing that one van 1 exceed shape shade no per ip applied the policy traffic shaping policy same like our ipv4 policy or firewall policy it will uh from top to bottom so we have to move the policy to top then only because we are specifying all too old if we if it is a below then the first one it will hit now 5 mb we are doing apply shaper per ip we will go and do the traffic test the speed test okay for point we will check the our session table so before we saw it the shade one now it's changed now it is a per ip per ip we will get 5 mb shaping policy id 2 so policy id 2 is 5 mp so it is applying for cid the details for c direction internal everything is here so the second type of the traffic shaping model also we did shade the last one is interface paste or profile based so 5 mb we will give 6 and b we have to create the classes total 32 classes we can create so this is all my my old creation so i did test file we'll create a class here what is the difference before we are applying bandwidth directly in in the profile based on you cannot apply directly the bandwidth it's a percentage so i will tell you the process we have to specify what is you what is our bandwidth in the uh from the isp we are getting in my case i am getting the 10 mb so before doing the okay let's say what i will do i will cancel this one cancel so first go to the interface then one 10 mb you you know before we are going over there so from here itself we can create it the same 5 mb test 5 so guaranteed bandwidth uh 1 mb so 10 percentage maximum bandwidth um preference 6 and b so we will give 60 so 10 10 is my total bandwidth 10 mb and in this class id what i am doing is 60 maximum so 60 percentage is 6 mb priority i'm giving so okay 10mb okay so we'll go to the policy traffic shaping shaping profile 5mb next one we have to create same like policy we have to create the traffic shipping policy this is profile same same one outgoing interface one one i play shaper i'm not doing it so i'm doing this class id which i created just five separate then we move the traffic to the top sorry especially for the interface based traffic shaping let's say you want to give a guaranteed guaranteed bandwidth for the voiceover ip for all the uses it's guaranteed to personally let's say you have 100 mb 10 mb for the voice over ipo or office office 365 you can apply on the interface level for so it will apply for all the users for all the users are using the exiting over that interface but interface level traffic shaping let's require the np6 chipset this hardware it is it is moreover hardware based hardware based and some of the model it will not support i am using 61e 61e it's not supporting you can go to the dock then you can find out which model is supporting i believe more above 500 it is supporting the interface based traffic shaping we either but we can we can do the testing because we can see the session table the data will be there the configuration will be there uh the the the y the wire speed chip chip a6 will not get effect you know the so that's why we will not get that policy but what we can see on the on the session table we can see which which one is taking so not only session table on the interface level also we can see okay which which one is applied interface level reports so we created a profile we created we attached to our traffic shaping profile and we on the interface level we have to do the the the bandwidth then only because it's the percentage based uh about 10 percentage 50 percent ago it's 5 mb outbound bandwidth 10 mb okay so let me go to the testing you can see because 9.5 mb if i go to the cli now it is you can see shaping policy id2 i'm going to pass id will be there and the policy id is but this is applying but the problem is hardware level it will not take effect due to the chipset the hardware limitations because it's a 61e you know low end model so interface level we will see face least then one it is already applied aggress traffic control bandwidth 8 class 5 allocated 6 mb guaranteed 1 and b current bandwidth 6 kbbs forward so the configuration side is everything is okay only the hardware level is different that's why we are we are not getting the result if you are using the i believe it's more than 500 then then interface level for traffic shaping also you can do and all the all the old uses using that interface you can specify okay this this type of traffic the minimum indeed bandwidth this one this much like that or configuration you can do so we what we did we we we go gone through the basics of qos class of services then we we did the configuration walkthrough three type of configuration it's a shared traffic shaping per ip and interface based we did the verification on the on the gui we will go to the network speed test same time we tested do using the diagnose what is the what is the policy and which policy is taking thank you for watching if you like the video please like it if you like the video please subscribe thank you bye

[Music] good morning welcome to network 360 channel in this video we are covering fortigate traffic shaping feature we are using fortigate 61e hardware and firmware version is 7.0.1 the roadmap summary of this video first we will cover small little little of basics of qas quality of service then second step we will do the walkthrough configuration of traffic shaping then the third we will verify using the speedtest.net the fourth we will do the troubleshooting and verify using the cli this is our roadmap [Music] the basics of skewers the basics of qos it&#39;s it&#39;s a standard and it&#39;s not not only for 40 gig it&#39;s normally it&#39;s open standard and it&#39;s using for all the cisco or juniper or any other vendor the steps main steps main main parameters of q is is bandwidth delay jitter and loss this is the parameters basically for the for the qos parameters and we can do in q in uh the class of qos in the two way layer two on layer three layer two is eight zero two dot one p class of services and line three dhcp and type of services uh we are using in firewall mostly we are using the dhcp value in in general idf standard and open standard layer 3 traffic shaping we are using in fortigate also we are using the layer 3 traffic shaping let&#39;s say one packet is entering into your firewall or any l3 device the qos process is starting from there first it will do the admission control admission control what you what will check okay this packet is it&#39;s uh uh we have to admit or not into the packet flow if it&#39;s if there is a queue length and q is okay the packet size whatever other parameters then the packet will be entering into the into the flow next is a classification we have to classify what type of what type of packet that one its high priority low priority or default default priority or best effort after the classification we will do the marking and policy where the marking and policing means we will do the markdowns let&#39;s say some algorithm we will use it how is the packet we will we will process the packet uh let&#39;s uh leaky bucket or token based fortigate is using fortigate bay 48 is using token based uh token-based bucketing bucket that is a policy mechanism how it is working we will we will let&#39;s say you you configured one of one of the policy 192.16810 192.168.10.21 it&#39;s guaranteed bandwidth and maximum bandwidth guaranteed bandwidth you give one one mb so one mb token will be already allocated to the to the firewall so whenever the packet is coming the same time same time the the packet will process and it will exit from the uh it will exit to the next queue for the scheduling and traffic shaping other other works it will you know it will the packet will flow to the next step uh you can you can google it the algorithm is as for my knowledge it is using token b token bucket based algorithm for the policy then the uh after the policing then the queueing and scheduling let&#39;s say we have the three three queues if you if you open here you can see high low medium cues so high high q always very you know the little time that is delay will be very very sensitive so high high priority queue will be passed within the without any delay so the the queueing and scheduling mechanism will do the the same thing is using the same way it is for common for the old qos mechanism the last step is traffic shaping traffic shaping we can do the policing or shaping normally we will do the shaping and the fortigate is using shaping traffic shaping then it will exit on the packet will exit on the exit interface when when we are classifying the packet when we are classifying the packet to be broadly we have two type of classification one is the network control traffic that is a high priority one your normal network controls type of packets the second one is user and data traffic user and data traffic normally subdivided in ietf mode model for four different categories based on the bitrate constant bit rate uh constant bit rate up based on the application constant bit rate applications like voice over ip communication then the constant bit rate real time voice over ip call then the variable bitrate the interactive videos that are that also real-time then the uh other one iptv or streaming that is third one the last one is best best effort this is the uh this is the four from for classification then once we classified the packet then we will do the queueing policing and based on the sorry scheduling we will do the traffic shaping and exiting the traffic this is the basics of the qos very very basic if you want to know more we can do another one more video so let let let me go to the configuration part traffic shaping normally we have to apply most of the organizations because we have to prioritize some traffic based on your business it may be office 365 traffic or salesforce traffic or voice over ip based on your your business requirement you have to do prioritize some of the traffic otherwise what will happen some of the uses will will download huge amount of data it will spike it will utilize all the channel all the your internet channel my lab i am using 10 mbps line so we will do the walkthrough how we can configure how we can verify and how we can troubleshoot we can do the walkthrough and you will get a good knowledge about the draft shaping basically fortigate having three type of craft shaping you can see from the traffic poles policy and object traffic shaping first type is shared second type is pair ip and third one is interface based this is traffic shaping profile this is interface based so we will create a we will create now and we will do the testing i&#39;m creating shade so let me do two mega bits  okay we&#39;ll give quality of service i&#39;m giving the priority high [Applause] maximum bandwidth i&#39;m giving 2 mbps so it&#39;s kilobits so mb we have to do okay guaranteed one thousand dhcp we are not using basically fortigate is a per-hook based qos mechanism is applying this this all is per hop base because what is pearl based when you are applying traffic shaping here it will apply only over the over that 48 degrees let&#39;s say in your organization you have two three or four firewalls the you have two firewalls from fortigate and exit firewall from the cisco or palo alto or checkpoint then we can use a dhcp value dhcp value once you applied here it will apply on the l3 of the packet type of services so the the chart you will get and based on the priority you can you can make here the high priority if it&#39;s a voice traffic you can put a 41 something you can just google it so you will get that dhcp value if you apply the dhcp value it will forward to the next next device because this is upper standard okay on on this exercise we are not using dhcp okay 2mb is maximum bandwidth 1 mb is guaranteed bandwidth gonna be guaranteed bandwidth you remember when we discussed about the uh about the basics uh i told you the policing time we can make a leaky bucket so basically leaky bucket token token based relay market so basically what will happen uh we will give the the the uh based on this guaranteed bandwidth we will allocate the bandwidth so whenever the packet is coming okay tokens available if the token is available then at the same time packet will exit so shared one we created 2mb be shared okay now the second part we have to apply create a policy here in my case i&#39;m using all too old because i&#39;ll after this i will go to the policy say lab setup schedule always services i&#39;m giving all here you if you want let&#39;s say before we discuss normal organizations they want to do uh you know control based on the application you can do you will get youtube or office 365 based on based on the application you can do or url category also like you want to you want to allocate only uh 2mb for the this category you can do business category you can allocate 2mb so the lab purpose i&#39;m giving i&#39;m not selecting and my exit is in the van one place shaper i&#39;m using the shade 2mb shade reverse also why we have to put in the reverse also because when you are streaming a video you are you are giving get comment after that you are getting all the all the contents downloading so we have to do both direction forward direction reverse direction also in this case we applied to mbbs shade okay so we created and we we created traffic shape shared traffic shape after that applied to the we applied a traffic shipping profile here if you want you can you can specify uh based on your requirement source and destination addresses or services whatever it&#39;s in lab purpose i&#39;m going just gone through options is available okay so done so we will do the we will go to the speed speed test we will check how we are getting before that i will go to the firework policy i am using the wi-fi all tool is allowed only one policy so we will go to the uh speed test we will disable the policy and we will check it out what is the current full pipe i am getting before applying qos or traffic shipping okay as i told you my uh my lab internet speed is 10 mb okay i can i am getting 9.4 mb so now we are we created 2mb shade and we are enabling that one we will redo the test again we configured 1mb as the guaranteed bandwidth and 2mb max 1.7 so we can see that 1.7 we already applied the traffic shaping now what we will do we will do the diagnosing using cli for that we have to check it out section table session table we can see which policy supplied traffic shaping policies applied what is the guaranteed and what is the maximum bandwidth and what bit is now is going on all the things diagnose system session filter src 192.6810.4 destination port 443 system list the list so let&#39;s say one one session details we are using the shared 2mb and the sure this is a shared original origin and a revised forward and rubbish guaranteed max traffic drops so this is the one dropped so we can see that it is already applied and we are getting the result also shaping policy id we can see the policy 81 so before continue we can do small small modification on the traffic shaping policy so we can see okay the policy id is one so which one okay so for that we have to click here go to id up play better to move to left okay shaping policy id and this is the bits dropping and this is the details so we are we are using the policy id1 next next to traffic shaping uh next one is per ip where i be what i will do i will create 5 mp maximum bandwidth per ip 5 mp i am not using the concurrent connection congruent tcp or udp i am not using dhcp value i am just specifying the 5000 uh kpbs that&#39;s 5 mb for each each ip okay once i create it then i will go to the traffic shaping policies create b scroll to all schedule always service i&#39;m giving all application that on the on the side which i told you here you have all the options you can you can granular based you can do the traffic shaping in my lab i&#39;m not doing that one van 1 exceed shape shade no per ip applied the policy traffic shaping policy same like our ipv4 policy or firewall policy it will uh from top to bottom so we have to move the policy to top then only because we are specifying all too old if we if it is a below then the first one it will hit now 5 mb we are doing apply shaper per ip we will go and do the traffic test the speed test okay for point we will check the our session table so before we saw it the shade one now it&#39;s changed now it is a per ip per ip we will get 5 mb shaping policy id 2 so policy id 2 is 5 mp so it is applying for cid the details for c direction internal everything is here so the second type of the traffic shaping model also we did shade the last one is interface paste or profile based so 5 mb we will give 6 and b we have to create the classes total 32 classes we can create so this is all my my old creation so i did test file we&#39;ll create a class here what is the difference before we are applying bandwidth directly in in the profile based on you cannot apply directly the bandwidth it&#39;s a percentage so i will tell you the process we have to specify what is you what is our bandwidth in the uh from the isp we are getting in my case i am getting the 10 mb so before doing the okay let&#39;s say what i will do i will cancel this one cancel so first go to the interface then one 10 mb you you know before we are going over there so from here itself we can create it the same 5 mb test 5 so guaranteed bandwidth uh 1 mb so 10 percentage maximum bandwidth um preference 6 and b so we will give 60 so 10 10 is my total bandwidth 10 mb and in this class id what i am doing is 60 maximum so 60 percentage is 6 mb priority i&#39;m giving so okay 10mb okay so we&#39;ll go to the policy traffic shaping shaping profile 5mb next one we have to create same like policy we have to create the traffic shipping policy this is profile same same one outgoing interface one one i play shaper i&#39;m not doing it so i&#39;m doing this class id which i created just five separate then we move the traffic to the top sorry especially for the interface based traffic shaping let&#39;s say you want to give a guaranteed guaranteed bandwidth for the voiceover ip for all the uses it&#39;s guaranteed to personally let&#39;s say you have 100 mb 10 mb for the voice over ipo or office office 365 you can apply on the interface level for so it will apply for all the users for all the users are using the exiting over that interface but interface level traffic shaping let&#39;s require the np6 chipset this hardware it is it is moreover hardware based hardware based and some of the model it will not support i am using 61e 61e it&#39;s not supporting you can go to the dock then you can find out which model is supporting i believe more above 500 it is supporting the interface based traffic shaping we either but we can we can do the testing because we can see the session table the data will be there the configuration will be there uh the the the y the wire speed chip chip a6 will not get effect you know the so that&#39;s why we will not get that policy but what we can see on the on the session table we can see which which one is taking so not only session table on the interface level also we can see okay which which one is applied interface level reports so we created a profile we created we attached to our traffic shaping profile and we on the interface level we have to do the the the bandwidth then only because it&#39;s the percentage based uh about 10 percentage 50 percent ago it&#39;s 5 mb outbound bandwidth 10 mb okay so let me go to the testing you can see because 9.5 mb if i go to the cli now it is you can see shaping policy id2 i&#39;m going to pass id will be there and the policy id is but this is applying but the problem is hardware level it will not take effect due to the chipset the hardware limitations because it&#39;s a 61e you know low end model so interface level we will see face least then one it is already applied aggress traffic control bandwidth 8 class 5 allocated 6 mb guaranteed 1 and b current bandwidth 6 kbbs forward so the configuration side is everything is okay only the hardware level is different that&#39;s why we are we are not getting the result if you are using the i believe it&#39;s more than 500 then then interface level for traffic shaping also you can do and all the all the old uses using that interface you can specify okay this this type of traffic the minimum indeed bandwidth this one this much like that or configuration you can do so we what we did we we we go gone through the basics of qos class of services then we we did the configuration walkthrough three type of configuration it&#39;s a shared traffic shaping per ip and interface based we did the verification on the on the gui we will go to the network speed test same time we tested do using the diagnose what is the what is the policy and which policy is taking thank you for watching if you like the video please like it if you like the video please subscribe thank you bye

Transcript for:FortiGate Traffic Shaping Feature

Transcript for:
FortiGate Traffic Shaping Feature