Next Generation Firewall (NGFW)

Expand all | Collapse all

Fortigate as a bandwidth controller

  • 1.  Fortigate as a bandwidth controller

    Posted Mar 02, 2020 10:16 AM
    Hello, maybe someone can guide me, I want to use a fortigate (box or VM) to dedicate it to the task of controlling the bandwidth of my users. What should I take into account to determine which box or VM is best suited?


  • 2.  RE: Fortigate as a bandwidth controller

    Posted Mar 02, 2020 02:31 PM
    Hello,

    There are some criteria that you must consider for the Appliance Fortigate (Box)

    - FortiASIC
    - Physical ports

    For the VM look here: https://www.fortinet.com/br/products/virtualized-next-generation-firewall/faqs.html

    Regards.


  • 3.  RE: Fortigate as a bandwidth controller

    Posted Mar 03, 2020 12:11 PM
    Thank you Marcos for your answer, but it is not clear to me that I should consider, that the box has a more powerful CPU, then I should consider a high unemployment box (1000 to 3980)?


  • 4.  RE: Fortigate as a bandwidth controller

    Posted Mar 03, 2020 08:09 AM

    NP4 traffic shaping offloading

    Accelerated Traffic shaping is supported by NP4 processors with the following limitations.

    • NP4 processors support policy-based traffic shaping. However, fast path traffic and traffic handled by the FortiGate CPU (slow path) are controlled separately, which means the policy setting on fast path does not consider the traffic on the slow path.

    • The port based traffic policing as defined by the inbandwidth and outbandwidth CLI commands is not supported.

    • DSCP configurations are supported.

    • Per-IP traffic shaping is supported.

    • QoS in general is not supported.

    NP4Lite processors do not support traffic shaping for offloaded sessions.

    You can also use the traffic shaping features of the FortiGate unit's main processing resources by disabling NP4 offloding. See Disabling NP offloading for firewall policies.

    https://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-hardware-acceleration/NP4.htm

    ==============================================================================

    NP6 processors and traffic shaping

    NP6-offloaded traffic supports traffic shaping just like any other traffic with one exception: configuring in bandwidth traffic shaping has no effect on NP6 accelerated traffic. In bandwidth traffic shaping sets the bandwidth limit for incoming traffic for an interface.

    Out bandwidth traffic shaping is supported. Out bandwidth traffic shaping sets the bandwidth limit for outgoing traffic for an interface. You can use the following command to configure out bandwidth traffic shaping:

    config system interface

    edit port1

    set outbandwidth 2000

    end

    https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-hardware-acceleration-52/NP6.htm




  • 5.  RE: Fortigate as a bandwidth controller

    Posted Mar 03, 2020 12:26 PM
    Hi Rowan, very interesting your comment, was not aware of the characteristics of the processor.


    I want to control the bandwidth of approximately two thousand users, understanding as a user a terminal equipment (CPE), which is not necessarily in a LAN, but in a routed segment and / or in a different geographical area. Each CPE could have an IP (/ 30) or more (/ 29, / 28, etc.), the traffic is approximately 1Gbps in the outgoing interface.

    How could I know if a VM or a Chassis is better for me?


  • 6.  RE: Fortigate as a bandwidth controller

    Posted Mar 03, 2020 01:43 PM
    If you only want to shape outbound traffic without concession, go with a hardware box that has the NP6 processor. This will support any traffic shaping except for interface-based shaping (https://docs.fortinet.com/document/fortigate/6.0.0/hardware-acceleration/972559/np6-processors-and-traffic-shaping).

    If your proposed design is based on interface-based shaping, go with a VM because the shaping will be CPU-based and an NP-accelerated box has no direct added value


  • 7.  RE: Fortigate as a bandwidth controller

    Posted Mar 03, 2020 02:07 PM

    My design is based on traffic shaping policy, create an Address, create Traffic Shapers, where I set different types of shared type speeds, since I want to limit each user (cpe) up and down speed. Then for each user create a traffic shaping policy.


  • 8.  RE: Fortigate as a bandwidth controller

    Posted Mar 03, 2020 02:19 PM
    Sounds as if an NP6-capable hardware box should fit your requirements.


  • 9.  RE: Fortigate as a bandwidth controller

    Posted Mar 23, 2020 07:02 AM
    Thanks Rowan, I see that the 300E has an NP6 processor, there is some limitation or restriction regarding the number of profiles or policies of traffic shapping ? The team data sheet does not mention anything.


  • 10.  RE: Fortigate as a bandwidth controller

    Posted Mar 28, 2020 07:16 AM
    Please refer to the Maximum Values Table to see what limits are applied per model: https://docs.fortinet.com/max-value-table


  • 11.  RE: Fortigate as a bandwidth controller

    Posted Mar 03, 2020 01:12 PM

    If you have a VM environment with spare resources and you want to go that route then compare to the VM performance.
    https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/fortigate-vm.pdf

    For hardware appliances then compare to
    https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/Fortinet_Product_Matrix.pdf

    I typically use the NGFW throughput to give myself lots of room for enabling features. For what you are doing, it sounds very different from a standard setup so you may want to look at doing a POC with a 60F, then design your real HA solution out with more like 100F firewalls.







  • 12.  RE: Fortigate as a bandwidth controller

    Posted Mar 23, 2020 07:08 AM
    Thanks Peter for your comments.
    Rowan recommends an equipment with NP6 processor, I see that the 300E fits as well as the Throughput.
    I am trying to find out if there are any limitations regarding the number of shaping poliliters or profiles, the data sheet does not indicate this.


  • 13.  RE: Fortigate as a bandwidth controller

    Posted Mar 23, 2020 07:23 AM

    https://docs.fortinet.com/max-value-table

    I would start with this to see if you can find any of the limits then reach out directly to Fortinet with the specifics. The 100F has a lot of power so I would consider that when you look at the specs. 




  • 14.  RE: Fortigate as a bandwidth controller

    Posted Mar 23, 2020 10:57 AM
    According to the link provided, I found the following data


    100F100
    Ffirewall.shaper.per-ip-shaper 32
    firewall.shaper.traffic-shaper 32
    firewall.address 20000

    Does this indicate that I can only have 32 traffic shaping policies?


  • 15.  RE: Fortigate as a bandwidth controller

    Posted Mar 28, 2020 07:17 AM
    That is correct.