Traffic shaping for VoIP

The quality of VoIP phone calls through a firewall often suffers when the firewall is busy and the amount of bandwidth available for the VoIP traffic fluctuates. This can be irritating, leading to unpredictable results and caller frustration. This recipe describes how to add traffic shaping to guarantee that enough bandwidth is available for VoIP traffic, regardless of any other activity on the network.

To achieve high quality real-time voice transmissions, VoIP traffic requires priority over other types of traffic, minimal packet loss, and jitter buffers. You will limit bandwidth consuming services, like FTP, while providing a consistent bandwidth for day-to-day email and web-based traffic. First, you will customize three existing traffic shapers—high priority, medium priority, and low priority—and then create a separate security policy for each service type. 

 1. Enabling Traffic Shaping and VoIP features

Go to System > Config > Features and click the Show More button to view additional features. If necessary, select ON to enable both Traffic Shaping and VoIP. Apply your changes.

 

 2. Configuring a high priority VoIP traffic shaper

Go to Policy & Objects > Objects > Traffic Shapers and edit the existing high-priority traffic shaper.

Set Type to Shared. Set Apply shaper to Per Policy.

Set Traffic Priority to High. Select Max Bandwidth and enter 1000 kb/s (1 Mbps). Select Guaranteed Bandwidth and enter 800 kb/s (0.8 Mbps).

 

3. Configuring a low priority FTP traffic shaper

Go to Policy & Objects > Objects > Traffic Shapers and edit the existing low-priority traffic shaper.

Set Type to Shared. Set Apply shaper to All policies using this shaper.

Set Traffic Priority to Low. Set Max Bandwidth and Guaranteed Bandwidth to 200 kb/s (0.2 Mbps).

 
 

4. Configuring a medium priority daily traffic shaper

Go to Policy & Objects > Objects > Traffic Shapers and edit the existing medium-priority traffic shaper.

Set Type to Shared. Set Apply shaper to Per Policy. Select Max Bandwidth and enter 600 kb/s (0.6 Mbps). Set Traffic Priority to Medium. Select Guaranteed Bandwidth and enter 600 kb/s (0.6 Mbps).  

 
 

5. Applying each shaper to a device-based policy

Go to Policy & Objects > Policy > IPv4 and create a new security policy for SIP traffic.

Enable Shared Shaper and Reverse Shaper and select high-priority.

For Logging Options, select All Sessions for testing purposes.

 

Go to Policy & Objects > Policy > IPv4 and create a security policy for FTP traffic.

 

Go to Policy & Objects > Policy > IPv4 and create a security policy for daily web-based, email traffic, and other traffic. 

Arrange your policies in the following order: 

    1. High-priority (SIP/VoIP traffic)
    2. Low-priority (FTP traffic)
    3. Medium-priority (Day-to-day traffic)
 

 6. Results

Browse the Internet using a PC on your internal network to generate daily web traffic. Then, generate FTP traffic.

The FTP download or upload should occur slowly.

 

Finally, generate SIP traffic.

Go to Policy & Objects > Monitor > Traffic Shaper Monitor and report by the Current Bandwidth. You can see how much of your current bandwidth is being used by active traffic shapers. If the standard traffic volume is high enough, it will top out at the maximum bandwidth defined by each shaper.

You will have normal voice quality on your VoIP call, even with daily traffic and FTP downloads running.

 

 

 

Go to Log & Report > Log & Archive Access > Traffic Log and filter the Service by SIP to see your VoIP traffic. Select an individual log message to view the shaper name in the Sent Shaper Name field.

 

For further reading, check out Traffic Shaping in the FortiOS 5.2 Handbook.

Kayla Robinson

Kayla Robinson

Technical Writer at Fortinet
Kayla Robinson works in Ottawa as part of Fortinet's Technical Documentation and New Media team. With a Bachelor's degree from Carleton, and a graduate certificate in Technical Writing from Algonquin College, she enjoys creating FortiOS Cookbook videos.
Kayla Robinson

Latest posts by Kayla Robinson (see all)

Share this recipe:

Facebooktwittergoogle_pluslinkedin
Before you apply QoS measures, ensure you have enough network bandwidth to support real-time voice traffic.
Traffic shaping rules and VoIP profiles can now be applied to firewall policies. 
Select Per Policy when you want each security policy for day-to-day business traffic to have the same distribution of bandwidth, regardless of the number of policies using the shaper. In this example, 800kb/s (0.8Mbps) each.
Select All policies using this shaper to ensure that all policies using your shaper will be restricted to share a set amount of bandwidth. In this example, 200kb/s (0.2 Mbps) total.
If you are creating a new traffic shaper, the Traffic Priority is set to High by default. A failure to set different shaper priorities will result in a lack of prioritized traffic.
Setting a low maximum bandwidth will prevent sudden spikes in traffic caused by large FTP file uploads and downloads. 
This shaper should be set to a moderate value and set to per policy so that day-to-day traffic has the same distribution of bandwidth. 
Make sure that you include a Reverse Shaper so that return traffic for a VoIP call has the same guaranteed bandwidth as an outgoing call.
You can also edit your existing general access security policy.
Click on the far left of the column you want to move and drag it up or down to arrange it.
More specific restrictive policies, like the SIP and FTP policies, should always be placed at the top of the list, above the unrestricted general access policy that allows “all”.
In this example, a 56.1 MB file was downloaded from an FTP server.
In this example, SIP traffic was generated by placing a call with a VoIP FortiFone connected to the internal interface of the FortiGate.
In the screenshot, the SIP traffic is only using a small part of the allocated bandwidth.

Leave a comment:

Before commenting, please read the site's comment policy. Only questions related to documentation will be answered. For other concerns, please contact Fortinet support.

  • ชัชนนนญ์ พงศ์

    Normally reverse shaper must config on ISP device.
    How it works on Fortigate?

  • keven

    this appear to wrong , the chopping voice with voip is not coming from port 5060 but from rtp port after connection was established , so 5060 is not only the port that need to be priorize but all rtp port where voice is taking place also , also this don’t taked into consideration the wan speed link upstream/downstream , look like a weak how-to