Traffic shaping for VoIP

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

The quality of VoIP phone calls through a firewall often suffers when the firewall is busy and the bandwidth available for the VoIP traffic fluctuates. This can be irritating, leading to unpredictable results and caller frustration. This recipe describes how to add traffic shaping to your FortiGate to guarantee that enough bandwidth is available for VoIP traffic, regardless of any other activity on the network.

To achieve high-quality real-time voice transmissions, VoIP traffic requires priority over other types of traffic, minimal packet loss, and jitter buffers. You will limit bandwidth consuming services, like FTP, while providing a consistent bandwidth for day-to-day email and web-based traffic. First, you will customize three existing traffic shaper profiles—high priority, medium priority, and low priority—and then create a separate traffic shaping policy for each service type.

Find this recipe for other FortiOS versions
5.2 | 5.6

1. Enabling Traffic Shaping and VoIP features

Go to System > Feature Select and enable both Traffic Shaping and VoIP. Apply your changes.

 

To be able to apply VoIP profiles you must enable proxy-based inspection by going to System > Settings and setting Inspection mode to Proxy.

2. Creating a high priority VoIP traffic shaper

Go to Policy & Objects > Traffic Shapers and edit the default high-priority traffic shaper.

Set Type to Shared. Set Apply shaper to Per Policy.

Set Traffic Priority to High. Select Max Bandwidth and enter 1000 Kbps. Select Guaranteed Bandwidth and enter 800 Kbps.

 

3. Creating a low priority FTP traffic shaper

Go to Policy & Objects > Traffic Shapers and edit the default low-priority traffic shaper.

Set Type to Shared. Set Apply shaper to All policies using this shaper.

Set Traffic Priority to Low. Set Max Bandwidth and Guaranteed Bandwidth to 200 Kbps.

 
 

4. Creating a medium priority daily traffic shaper

Go to Policy & Objects > Traffic Shapers and edit the default medium-priority traffic shaper.

Set Type to Shared. Set Apply shaper to Per Policy. Select Max Bandwidth and enter 600 Kbps. Set Traffic Priority to Medium. Select Guaranteed Bandwidth and enter 600 Kbps.  

 
 

5. Adding a VoIP security profile to your Internet access policy

Go to Policy & Objects > IPv4 Policy and edit your Internet access policy.

Under Security Profiles enable VoIP and change the logging options to All Sessions to test the results later.

Note your Source, Destination and Outgoing Interface for Step 6.

This shows the VoIP Security Profile enabled in the Internet access policy.

 

6. Creating three traffic shaping policies

Go to Policy & Objects > Traffic Shaping Policy and create a new high-priority traffic shaping policy for SIP traffic.

Set the Matching Criteria to the same settings as the Internet access policy you would like to apply traffic shaping to. Enable Shared Shaper and Reverse Shaper and select high-priority.

 

This shows the SIP shaping policy.

Follow the same process, to create a new low-priority traffic shaping policy for FTP traffic. Set Service to FTP and Shared Shaper and Reverse Shaper to low-priority.  This shows the FTP shaping policy.
Now create a medium-priority traffic shaping policy for daily traffic. Set Service to ALL and Shared Shaper and Reverse Shaper to medium-priority.  This image shows the medium-priority traffic shaping policy.

Arrange your policies in the following order:

    1. High-priority (SIP/VoIP traffic)
    2. Low-priority (FTP traffic)
    3. Medium-priority (Day-to-day traffic)

This image shows the policy list page.

 

 6. Results

Browse the Internet using a PC on your internal network to generate daily web traffic. Then, generate FTP traffic.

The FTP sessions should occur slowly.

This shows the FTP file download.

 

Finally, generate SIP traffic.

Go to FortiView > Traffic Shaping and look at the three active traffic shapers.

This shows how the high-priority policy has no dropped bytes. 

If the standard traffic volume is high enough, it will top out at the maximum bandwidth defined by each shaper. The high-priority VoIP (SIP) policy should show no dropped bytes, but either of the other two policies may show dropped bytes if the set bandwidth is maxed out. You will have normal voice quality on your VoIP call, even with daily traffic and FTP downloads running.

 

Select the graph icon to switch to the bubble graph view, and sort by Bandwidth. Mouse over a shaper to view more details, or double-click to drill down.

 

This shows the bandwidth flowing through all three policies.

For further reading, check out Traffic Shaping in the FortiOS 5.6 Handbook.

Kayla Robinson

Kayla Robinson

Technical Writer at Fortinet
Kayla Robinson works in Ottawa as part of Fortinet's Technical Documentation and New Media team. With a Bachelor's degree from Carleton, and a graduate certificate in Technical Writing from Algonquin College, she enjoys creating FortiOS Cookbook videos.
Kayla Robinson

Latest posts by Kayla Robinson (see all)

  • Was this helpful?
  • Yes   No
Before you apply QoS measures, ensure you have enough network bandwidth to support real-time voice traffic.
Traffic shaping rules and VoIP profiles can now be applied to firewall policies. 
Select Per Policy when you want each security policy for day-to-day business traffic to have the same distribution of bandwidth, regardless of the number of policies using the shaper. In this example, 800Kbps each.
Select All policies using this shaper to ensure that all policies using your shaper will be restricted to share a set amount of bandwidth. In this example, 200 Kbps total.
If you are creating a new traffic shaper, the Traffic Priority is set to High by default. A failure to set different shaper priorities will result in a lack of prioritized traffic.
Setting a low maximum bandwidth will prevent sudden spikes in traffic caused by large FTP file uploads and downloads. 
This shaper should be set to a moderate value and set to per policy so that day-to-day traffic has the same distribution of bandwidth. 
Make sure that you include a Reverse Shaper so that return traffic for a VoIP call has the same guaranteed bandwidth as an outgoing call.
Click on the far left of the column you want to move and drag it up or down to arrange it.
More specific restrictive policies, like the SIP and FTP policies, should always be placed at the top of the list, above the unrestricted general access policy that allows “all”.
In this example, a pdf file was downloaded from an FTP server.
In this example, SIP traffic was generated by placing a call with a VoIP FortiFone connected to the internal interface of the FortiGate.
In the screenshot, the SIP traffic is only using a small part of the allocated bandwidth.
  • kevin

    Does this work if you have a bandwidth of 200GB up and down?

  • Tom Ritec

    You are correct, I absolutely am using flow-based. I honestly don’t understand why anyone would use proxy-based inspection mode if you are QoS’ing VoIP. I would think you would want all of the operational efficiency possible so as not to bog down the unit’s resources…

  • Tom Ritec

    No VoIP under feature on my 90E either…

    • bdickie

      This could be because your FortiGate is operating in flow-based inspection mode. VoIP is only available on the GUI in proxy mode.

      • Tom Ritec

        Thank you for the tip – that was definitely the reason I wasn’t seeing VoIP in the GUI.

  • Tom Ritec

    Yeah, no VOIP under feature on my Fortigate 60E either… Can anyone comment on this?

    • bdickie

      This may be because your FortiGate is operating in flow-based
      inspection mode. VoIP is only available on the GUI in proxy mode.

  • Chad Tremie

    There is no VOIP under feature of my Fortigate 60E, any idea?

  • Steve G

    Great article Kayla. Given the amount of Google Hangouts we use I would like to prioritise that traffic, however I’d prefer to give the traffic a higher priority without specifying a bandwidth value as usage levels wary so much it would be difficult to define a throughput. I assume if I follow this template and simply don’t enter any bandwidth values the Hangout traffic would still take priority over regular web traffic?

    • Hi Steve,
      Glad you enjoyed the article! If your bandwidth usage varies greatly, you don’t necessarily need to set max bandwidth values. You can set a guaranteed bandwidth for Google Hangouts using application control to ensure that a certain amount of your bandwidth is kept in reserve for Google Hangouts traffic. Your firewall policy must have application control enabled, and then in your traffic shaping policy, you can set Application to Google Hangouts (see attached screenshot).

      To determine the guaranteed bandwidth, first you need to check what your Internet bandwidth is. Make sure to run an actual bandwidth test using one of the many free utilities available online (rather than just looking at your advertised Internet package from your provider). With that as a reference point, you can make an educated guess as to how much of that is Google Hangouts traffic. If you think it’s 25%, start out a little under that, say 20% of the bandwidth for your high-priority shaper.

      You can also find more information about traffic shaping considerations in our traffic shaping handbook: http://docs.fortinet.com/d/fortigate-traffic-shaping-56
      https://uploads.disquscdn.com/images/4bdb95f738bab807d10115f607469b7c21489377a5175d67ea3360bd36ab1a42.png