Traffic Shaping on a zone with Multiple Interfaces

Traffic shaping with multiple interfaces on untrust zone.  Examples include dual-untrust, and redundant interfaces.
Cannot configure traffic shaping if egress zone has more than one interface.   No traffic shaping options are available for policies in the WebUI

Traffic shaping on an egress zone with multiple interfaces is supported on ScreenOS 5.1.0 and higher.  In order to enable this functionality, the following command must be applied:

set traffic-shaping multi-egress-if

This command is enabled by default in ScreenOS 5.2.0 and higher.

Here is how this feature works.  With 'multi-egress-if' enabled, assume the outgoing zone has 'n' interfaces, the traffic associated to the session in this policy will have a guaranteed bandwidth of n*gbw, and a maximum bandwidth of n*mbw.


Assume ethernet3 and ethernet4 is bound to the untrust zone.  We have 2 interfaces in the egress zone.  Assume we have the following policy:

set policy from trust to untrust any any any permit gbw 128 mbw 256

With this setup, the effective gbw is 256 kbit/sec, and the mbw is 512 kbps.


