Limited network resources make bandwidth prioritization necessary. To ensure that important, business-critical applications are given enough bandwidth, the firewall provides traffic shaping (also known as "packet shaping" and "QoS" (Quality of Service)) methods to let you prioritize network resources according to factors such as the time of day, application type, and user identity. You can identify the traffic and assign its priority using access rules.
Watch the video below for a short demo on how to configure bandwidth policies and QoS.
Classification by the access ruleset is static - it does not change after the session is initiated. For classification according to dynamic factors such as the time of day or download volume, the firewall provides the QoS band.
Network data can be shaped in the following ways:
- Outbound shaping – The traffic is shaped before it is delivered to a network interface.
- Inbound shaping – The traffic is shaped after it is received by a network interface.
There are eight different bandwidth policies. They are listed in the following table, in order of decreasing priority:
|VoIP||Highest priority before all other bandwidth policies. Traffic is sent with no delay.|
|Business||Very high priority.|
|Internet||Medium priority. If more than 10 MB of data is transferred in one session, the priority of the traffic in that session drops to the same as Background.|
|Background||Next lower priority.|
|Low||Low priority. Low and Lowest Priority are limited to 5% of the available bandwidth.|
|Lowest Priority||Lowest priority. Low and Lowest Priority are limited to 5% of the available bandwidth.|
Applications assigned this are unusable, but will not seek another way to send traffic. For example, if you wish to block Skype traffic, assign this policy to the Skype application.
- VoIP will always be given first priority. The same applies for Interactive, which is limited to 90% of the overall available bandwidth, thus always leaving at least 10% for VoIP traffic.
- The bandwidth ratio of Business : Internet : Background is 10:2:1 for residual bandwidth that is not used by VoIP or Interactive. In addition, Internet has a built-in size limit of 10 MB, after which a session is downgraded to Background, thus receiving a smaller bandwidth ratio after the limit is exceeded.
- The LowPrio virtual interface is limited to 5% of the overall available bandwidth. The bandwidth ratio of the LowPrio : LowestPrio : Choke shaping connectors is 10:2:1.
- The Choke virtual interface is limited to 0.1% of the overall bandwidth. These shaping connectors are ideally used to slow down somewhat unnecessary traffic and applications that cannot be completely blocked.
Queues and Rate Limits
The following diagram shows how the eight bandwidth policies are divided into queues:
- The Priority Queues always take precedence.
- The Regular Queues can use unlimited bandwidth.
- The Rate Limiting Queues are collectively limited to 5% of the maximum link bandwidth.
The rate limits always apply, so even if there is no other traffic, the traffic in the Rate Limiting Queues never uses more than 5% of the bandwidth.
The classes within the Regular and Rate Limiting queues are weighted relative to the other classes in the same queue. Class weights are enforced only when the link is saturated.
In order to use traffic shaping, you must refer to it in an access rule. For instructions on how to configure traffic shaping, see How to Create and Apply QoS Bands.