Traffic shaping for VoIP


The quality of VoIP phone calls through a firewall often suffers when the firewall is busy and the amount of bandwidth available for the VoIP traffic fluctuates. This can be irritating, leading to unpredictable results and caller frustration. This recipe describes how to add traffic shaping to guarantee that enough bandwidth is available for VoIP traffic, regardless of any other activity on the network.

To achieve high quality real-time voice transmissions, VoIP traffic requires priority over other types of traffic, minimal packet loss, and jitter buffers. You will limit bandwidth consuming services, like FTP, while providing a consistent bandwidth for day-to-day email and web-based traffic. First, you will customize three existing traffic shapers—high priority, medium priority, and low priority—and then create a separate security policy for each service type. 

Find this recipe for other FortiOS versions
 5.2 | 5.6

 1. Enabling Traffic Shaping and VoIP features

Go to System > Config > Features and click the Show More button to view additional features. If necessary, select ON to enable both Traffic Shaping and VoIP. Apply your changes.


 2. Configuring a high priority VoIP traffic shaper

Go to Policy & Objects > Objects > Traffic Shapers and edit the existing high-priority traffic shaper.

Set Type to Shared. Set Apply shaper to Per Policy.

Set Traffic Priority to High. Select Max Bandwidth and enter 1000 kb/s (1 Mbps). Select Guaranteed Bandwidth and enter 800 kb/s (0.8 Mbps).


3. Configuring a low priority FTP traffic shaper

Go to Policy & Objects > Objects > Traffic Shapers and edit the existing low-priority traffic shaper.

Set Type to Shared. Set Apply shaper to All policies using this shaper.

Set Traffic Priority to Low. Set Max Bandwidth and Guaranteed Bandwidth to 200 kb/s (0.2 Mbps).


4. Configuring a medium priority daily traffic shaper

Go to Policy & Objects > Objects > Traffic Shapers and edit the existing medium-priority traffic shaper.

Set Type to Shared. Set Apply shaper to Per Policy. Select Max Bandwidth and enter 600 kb/s (0.6 Mbps). Set Traffic Priority to Medium. Select Guaranteed Bandwidth and enter 600 kb/s (0.6 Mbps).  


5. Applying each shaper to a device-based policy

Go to Policy & Objects > Policy > IPv4 and create a new security policy for SIP traffic.

Enable Shared Shaper and Reverse Shaper and select high-priority.

For Logging Options, select All Sessions for testing purposes.


Go to Policy & Objects > Policy > IPv4 and create a security policy for FTP traffic.


Go to Policy & Objects > Policy > IPv4 and create a security policy for daily web-based, email traffic, and other traffic. 

Arrange your policies in the following order: 

    1. High-priority (SIP/VoIP traffic)
    2. Low-priority (FTP traffic)
    3. Medium-priority (Day-to-day traffic)

 6. Results

Browse the Internet using a PC on your internal network to generate daily web traffic. Then, generate FTP traffic.

The FTP download or upload should occur slowly.


Finally, generate SIP traffic.

Go to Policy & Objects > Monitor > Traffic Shaper Monitor and report by the Current Bandwidth. You can see how much of your current bandwidth is being used by active traffic shapers. If the standard traffic volume is high enough, it will top out at the maximum bandwidth defined by each shaper.

You will have normal voice quality on your VoIP call, even with daily traffic and FTP downloads running.




Go to Log & Report > Log & Archive Access > Traffic Log and filter the Service by SIP to see your VoIP traffic. Select an individual log message to view the shaper name in the Sent Shaper Name field.


For further reading, check out Traffic Shaping in the FortiOS 5.2 Handbook.

Fortinet Technical Documentation

Contact Fortinet Technical Documentation at
Fortinet Technical Documentation

Latest posts by Fortinet Technical Documentation (see all)

Before you apply QoS measures, ensure you have enough network bandwidth to support real-time voice traffic.
Traffic shaping rules and VoIP profiles can now be applied to firewall policies. 
Select Per Policy when you want each security policy for day-to-day business traffic to have the same distribution of bandwidth, regardless of the number of policies using the shaper. In this example, 800kb/s (0.8Mbps) each.
Select All policies using this shaper to ensure that all policies using your shaper will be restricted to share a set amount of bandwidth. In this example, 200kb/s (0.2 Mbps) total.
If you are creating a new traffic shaper, the Traffic Priority is set to High by default. A failure to set different shaper priorities will result in a lack of prioritized traffic.
Setting a low maximum bandwidth will prevent sudden spikes in traffic caused by large FTP file uploads and downloads. 
This shaper should be set to a moderate value and set to per policy so that day-to-day traffic has the same distribution of bandwidth. 
Make sure that you include a Reverse Shaper so that return traffic for a VoIP call has the same guaranteed bandwidth as an outgoing call.
You can also edit your existing general access security policy.
Click on the far left of the column you want to move and drag it up or down to arrange it.
More specific restrictive policies, like the SIP and FTP policies, should always be placed at the top of the list, above the unrestricted general access policy that allows “all”.
In this example, a 56.1 MB file was downloaded from an FTP server.
In this example, SIP traffic was generated by placing a call with a VoIP FortiFone connected to the internal interface of the FortiGate.
In the screenshot, the SIP traffic is only using a small part of the allocated bandwidth.