FortiGate Version 3.0 MR4 Administration Guide
224 01-30004-0203-20070102
Configuring firewall policies Firewall Policy
The bandwidth available for traffic controlled by a policy is used for both the
control and data sessions and is used for traffic in both directions. For example, if
guaranteed bandwidth is applied to an internal to external FTP policy, and a user
on an internal network uses FTP to put and get files, both the put and get sessions
share the bandwidth available to the traffic controlled by the policy.
The guaranteed and maximum bandwidth available for a policy is the total
bandwidth available to all traffic controlled by the policy. If multiple users start
multiple communications session using the same policy, all of these
communications sessions must share from the bandwidth available for the policy.
However, bandwidth availability is not shared between multiple instances of using
the same service if these multiple instances are controlled by different policies.
For example, you can create one FTP policy to limit the amount of bandwidth
available for FTP for one network address and create another FTP policy with a
different bandwidth availability for another network address.
Traffic Priority
Set traffic priority to manage the relative priorities of different types of traffic.
Important and latency-sensitive traffic should be assigned a high priority. Less
important and less sensitive traffic should be assigned a low priority.
The FortiGate Antivirus Firewall provides bandwidth to low-priority connections
only when bandwidth is not needed for high-priority connections.
For example, you can add policies to guarantee bandwidth for voice and e-
commerce traffic. Then you can assign a high priority to the policy that controls
voice traffic and a medium priority to the policy that controls e-commerce traffic.
During a busy time, if both voice and e-commerce traffic are competing for
bandwidth, the higher priority voice traffic will be transmitted before the e-
commerce traffic.
Traffic shaping considerations
Traffic shaping will by definition attempt to “normalize” traffic peaks/bursts and can
be configured to prioritize certain flows over others. But there is a physical
limitation to the amount of data which can be buffered and for how long. Once
these thresholds have been surpassed, frames and packets will be dropped, and
sessions will be affected. Incorrect traffic shaping configurations may actually
further degrade certain network flows, since the excessive discarding of packets
can create additional overhead at the upper layers, which may be attempting to
recover from these errors.
A basic traffic shaping example would be to prioritize certain traffic flows at the
detriment of other traffic which can be discarded. This would mean that you accept
to sacrifice certain performance and stability on traffic X, in order to increase or
guarantee performance and stability to traffic Y.
If for example you are applying bandwidth limitations to certain flows, you must
accept the fact that these sessions can be limited and therefore negatively
impacted.
To Next Page
Loading...
Need help?
General