Traffic shaping for VoIP

Facebooktwittergoogle_pluslinkedinFacebooktwittergoogle_pluslinkedin

The quality of VoIP phone calls through a firewall often suffers when the firewall is busy and the bandwidth available for the VoIP traffic fluctuates. This can be irritating, leading to unpredictable results and caller frustration. This recipe describes how to add traffic shaping to your FortiGate to guarantee that enough bandwidth is available for VoIP traffic, regardless of any other activity on the network.

To achieve high-quality real-time voice transmissions, VoIP traffic requires priority over other types of traffic, minimal packet loss, and jitter buffers. You will limit bandwidth consuming services, like FTP, while providing a consistent bandwidth for day-to-day email and web-based traffic. First, you will customize three existing traffic shaper profiles—high priority, medium priority, and low priority—and then create a separate traffic shaping policy for each service type.

Find this recipe for other FortiOS versions
5.2 | 5.6

1. Enabling Traffic Shaping and VoIP features

Go to System > Feature Select and enable both Traffic Shaping and VoIP. Apply your changes.

 

To be able to apply VoIP profiles you must enable proxy-based inspection by going to System > Settings and setting Inspection mode to Proxy.

2. Creating a high priority VoIP traffic shaper

Go to Policy & Objects > Traffic Shapers and edit the default high-priority traffic shaper.

Set Type to Shared. Set Apply shaper to Per Policy.

Set Traffic Priority to High. Select Max Bandwidth and enter 1000 Kbps. Select Guaranteed Bandwidth and enter 800 Kbps.

 

3. Creating a low priority FTP traffic shaper

Go to Policy & Objects > Traffic Shapers and edit the default low-priority traffic shaper.

Set Type to Shared. Set Apply shaper to All policies using this shaper.

Set Traffic Priority to Low. Set Max Bandwidth and Guaranteed Bandwidth to 200 Kbps.

 
 

4. Creating a medium priority daily traffic shaper

Go to Policy & Objects > Traffic Shapers and edit the default medium-priority traffic shaper.

Set Type to Shared. Set Apply shaper to Per Policy. Select Max Bandwidth and enter 600 Kbps. Set Traffic Priority to Medium. Select Guaranteed Bandwidth and enter 600 Kbps.  

 
 

5. Adding a VoIP security profile to your Internet access policy

Go to Policy & Objects > IPv4 Policy and edit your Internet access policy.

Under Security Profiles enable VoIP and change the logging options to All Sessions to test the results later.

Note your Source, Destination and Outgoing Interface for Step 6.

This shows the VoIP Security Profile enabled in the Internet access policy.

 

6. Creating three traffic shaping policies

Go to Policy & Objects > Traffic Shaping Policy and create a new high-priority traffic shaping policy for SIP traffic.

Set the Matching Criteria to the same settings as the Internet access policy you would like to apply traffic shaping to. Enable Shared Shaper and Reverse Shaper and select high-priority.

 

This shows the SIP shaping policy.

Follow the same process, to create a new low-priority traffic shaping policy for FTP traffic. Set Service to FTP and Shared Shaper and Reverse Shaper to low-priority.  This shows the FTP shaping policy.
Now create a medium-priority traffic shaping policy for daily traffic. Set Service to ALL and Shared Shaper and Reverse Shaper to medium-priority.  This image shows the medium-priority traffic shaping policy.

Arrange your policies in the following order:

    1. High-priority (SIP/VoIP traffic)
    2. Low-priority (FTP traffic)
    3. Medium-priority (Day-to-day traffic)

This image shows the policy list page.

 

 6. Results

Browse the Internet using a PC on your internal network to generate daily web traffic. Then, generate FTP traffic.

The FTP sessions should occur slowly.

This shows the FTP file download.

 

Finally, generate SIP traffic.

Go to FortiView > Traffic Shaping and look at the three active traffic shapers.

This shows how the high-priority policy has no dropped bytes. 

If the standard traffic volume is high enough, it will top out at the maximum bandwidth defined by each shaper. The high-priority VoIP (SIP) policy should show no dropped bytes, but either of the other two policies may show dropped bytes if the set bandwidth is maxed out. You will have normal voice quality on your VoIP call, even with daily traffic and FTP downloads running.

 

Select the graph icon to switch to the bubble graph view, and sort by Bandwidth. Mouse over a shaper to view more details, or double-click to drill down.

 

This shows the bandwidth flowing through all three policies.

For further reading, check out Traffic Shaping in the FortiOS 5.6 Handbook.

Fortinet Technical Documentation

Fortinet Technical Documentation

Contact Fortinet Technical Documentation at techdoc@fortinet.com.
Fortinet Technical Documentation

Latest posts by Fortinet Technical Documentation (see all)

Facebooktwittergoogle_pluslinkedinFacebooktwittergoogle_pluslinkedin
  • Was this helpful?
  • Yes   No
Before you apply QoS measures, ensure you have enough network bandwidth to support real-time voice traffic.
Traffic shaping rules and VoIP profiles can now be applied to firewall policies. 
Select Per Policy when you want each security policy for day-to-day business traffic to have the same distribution of bandwidth, regardless of the number of policies using the shaper. In this example, 800Kbps each.
Select All policies using this shaper to ensure that all policies using your shaper will be restricted to share a set amount of bandwidth. In this example, 200 Kbps total.
If you are creating a new traffic shaper, the Traffic Priority is set to High by default. A failure to set different shaper priorities will result in a lack of prioritized traffic.
Setting a low maximum bandwidth will prevent sudden spikes in traffic caused by large FTP file uploads and downloads. 
This shaper should be set to a moderate value and set to per policy so that day-to-day traffic has the same distribution of bandwidth. 
Make sure that you include a Reverse Shaper so that return traffic for a VoIP call has the same guaranteed bandwidth as an outgoing call.
Click on the far left of the column you want to move and drag it up or down to arrange it.
More specific restrictive policies, like the SIP and FTP policies, should always be placed at the top of the list, above the unrestricted general access policy that allows “all”.
In this example, a pdf file was downloaded from an FTP server.
In this example, SIP traffic was generated by placing a call with a VoIP FortiFone connected to the internal interface of the FortiGate.
In the screenshot, the SIP traffic is only using a small part of the allocated bandwidth.