Traffic shaping schedules Fortigate

In a shaping policy, there are many matching criteria available for administrators to
match a specific traffic and apply a traffic shaper or shaping group to the traffic,
including using schedules. This feature gives shaping policy the ability to apply different
shaping profiles at different times. Administrators can select a one-time schedule,
recurring schedule, or schedule group.
Schedule is not a mandatory setting. If it is not set, then the current date and time are
not used to match the traffic.

To configure a traffic shaping policy in the GUI:

1. Navigate to Policy & Objects > Traffic Shaping Policy.

2. Create or edit a Traffic Shaping Policy.
3. Enable Schedule and select a schedule option.

4. Configure other options and click OK.

To configure a traffic shaping policy in the CLI:

config firewall schedule recurring
    edit "work-hours"
        set start 07:00
        set end 20:00
        set day monday tuesday wednesday thursday friday
    next
end

config firewall shaping-policy

    edit 1
        set name "demo"
        set service "ALL"
        set schedule "work-hours"  <<< Can select schedule from
one-time schedule, recurring schedule or schedule group
        set dstintf "port1"
        set traffic-shaper "high-priority"
        set traffic-shaper-reverse "high-priority"
        set srcaddr "all"
        set dstaddr "all"
    next
end

To troubleshoot a traffic shaping policy in the CLI:

The selected schedule is listed in the iprope.

diagnose firewall iprope list 100015
 
policy index=1 uuid_idx=0 action=accept
flag (0): 
schedule(work-hours)
shapers: orig=high-priority(2/0/134217728) reply=high-
priority(2/0/134217728)
cos_fwd=0  cos_rev=0 
group=00100015 av=00000000 au=00000000 split=00000000
host=1 chk_client_info=0x0 app_list=0 ips_view=0
misc=0 dd_type=0 dd_mode=0
zone(1): 0 -> zone(1): 9 
source(1): 0.0.0.0-255.255.255.255, uuid_idx=28, 
dest(1): 0.0.0.0-255.255.255.255, uuid_idx=28, 
service(1): 
    [0:0x0:0/(0,65535)->(0,65535)] helper:auto

QoS assignment and rate limiting for quarantined

VLANs

When devices are quarantined, they are isolated from the rest of the network. However,
they can still impact the network if not controlled beyond isolation. A quarantined host,
which offers heavy traffic, could congest the network and create a DOS-style reduction
in service to authorized hosts.
Within the quarantined VLAN, two restrictions are available within the network:
 Traffic policing (also known as rate limiting)
 QoS (Quality of Service) assignment (also known as priority assignment)
Each quarantined host's traffic can be subject to rate limiting and priority adjustment.
This reduces the impact that any quarantined host can have on authorized traffic on the
network.

To configure QoS assignment and rate limiting for quarantined VLANs:

1. Configure a traffic policy, or use the default "quarantine" policy:

2. config switch-controller traffic-policy
3. edit "quarantine"
4. set description "Rate control for quarantined
traffic"
5. set guaranteed-bandwidth 163840
6. set guaranteed-burst 8192
7. set maximum-burst 163840
8. set cos-queue 0
9. next
end
2. Configure an interface:
3. config system interface
4. edit "qtn.aggr1"
5. set vdom "root"
6. set ip 10.254.254.254 255.255.255.0
7. set description "Quarantine VLAN"
8. set security-mode captive-portal
9. set replacemsg-override-group "auth-intf-qtn.aggr1"
10. set device-identification enable
11. set snmp-index 30
12. set switch-controller-access-vlan enable
13. set switch-controller-traffic-policy "quarantine"
14. set color 6
15. set interface "aggr1"
16. set vlanid 4093
17. next