Tag Archives: traffic shaping

FGT traffic shaping in 5.4 – Per Policy/shared options

The best docs are always at docs.fortinet.com

Fortigate traffic shaping is awesome, lots of options and it all works really well. Going from 5.2 to 5.4/5.6 is quite different due to the creation of policies changing from within the firewall policy, to their own section. Either way, they all work great.

I did notice at least in 5.4 that the option to change how a policy is used do not seem to be in the GUI. Previously there were two options – “Per Policy”, and “all policies using this shaper”. Selecting “all policies using this shaper” would have all policies using that shaper object to share the guaranteed or Max bandwidth settings between all policies using that shaper. Selecting “Per Policy” allows you to dedicate those same settings to each policy referencing the shaper object.

Which gets to my point, in 5.2 you had the options below. Notice the options about how to apply the shaper.


In 5.4.5 at least notice that they are gone. Of course, if you upgraded from 5.2 the options are there.


So as with everything that does not show up in the GUI – you know it is in CLI. So I dropped down to CLI to check if the settings are still there. By editing the shaper, and using the “get” command I could see all settings and their values the policy had to offer. As I thought the option “Per-Policy” is there with the default settings of disabled. So by default, all Shaper policies haveĀ  settings shared between different traffic policies referencing that shaper.


So in this case, I want to give the same percentage of bandwidth to each of the traffic shaper policies referencing my shaper object. So I will modify that option.


Now, in the GUI lets check that policy again –


Awesome, now we have the actual options to change.

Time based Policy-map for traffic policing

Recently I was tasked to resolve a problem where a video stream on Saturday and Sunday would get very choppy. This video stream is for a church and as you would expect needs to be perfect. There are multiple remote sites each connected to an MPLS back to the core site which is where the video stream originates. Each site has a 100Mb MPLS link back to the core site.

We wanted to make sure that on Saturday and Sunday that normal traffic (web, file shares) would be capped at around half the useable bandwidth, and the other half was for the stream. This is much more bandwidth than what the stream needs, but we want to make sure its plenty.

So, what we did was implement time based ACLs for both the traffic we want to prioritize, and another ACL for all default traffic that we want to police. We used a ‘any-any’ ACL instead of the class-default because we have to make it time based.

Some of the things to note – the Burst rate really mattered here. I followed the formula from Cisco RATE-SPEED/8 * 1.5. Using this formula solved my issues and things flowed exactly the way I wanted them to.

To test I changed the time on the router to look like Saturday, and then used Iperf to push traffic.

The system clock on the router has to be correct, else everything can be very screwed up. You might be saying why did you use a policer instead of a shaper? good question. I would have used a shaper if my 3750’s supported it. A shaper would have been a better solution here.


– Create Time-range

– Create ACLs using time range

– create class maps

– create policy maps

– apply policy-map to interface


First to create the time-range to match the times we wanted we used the following commands:

config t

time-range Weekend-Service

periodic Saturday 13:00 to Sunday 15:00


Next I created the ACL to match the priority traffic and default traffic

ip access-list ext Priority-traffic

10 permit ip host any time-range Weekend-Service


ip access-list ext Default-Traffic

10 permit ip any any time-range Weekend-Service


Then I created the class and policy map, and attached it to the interface.

Class-map match any Priority-Traffic
match access-group Priority-Traffic

class-map match-any Default-Traffic
match access-group Default-Traffic

policy-map Stream
class Priority-Traffic
set ip dscp ef

class Default-Traffic
police 50000000 937500
set ip dscp default

int gig 1/0
policy-map input stream

There are many commands to test the status, one command is “show policy-map interface”