Fortinet black logo

Handbook

Configuring differentiated services

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:459043
Download PDF

Configuring differentiated services

Differentiated services (DiffServ) describes a set of end-to-end Quality of Service (QoS) capabilities. End-to-end QoS is the ability of a network to deliver service required by specific network traffic from one end of the network to the other. By configuring differentiated services, you configure your network to deliver specific levels of service for different packets, based on the QoS specified by each packet. DiffServ is defined by RFC 2474 and 2475 as enhancements to IP networking to enable scalable service discrimination in the IP network without the need for per-flow state and signaling at every hop. Routers that can understand differentiated services sort IP traffic into classes by inspecting the DS field in IPv4 header or the Traffic Class field in the IPv6 header.

You can use the DiffServ feature on a FortiGate to change the DSCP (Differentiated Services Code Point) value for all packets that a policy accepts. The network can use these DSCP values to classify, mark, shape, and police traffic, and to perform intelligent queuing. DSCP features are applied to traffic by configuring the routers on your network to apply different service levels to packets, depending on the DSCP value of the packet. If you don't enable the DiffServ feature, the FortiGate treats traffic as though the DSCP value is set to the default (00) and doesn't change the DSCP field of IP packets. Also, DSCP values aren't applied to traffic if the traffic originates from the FortiGate.

The FortiGate applies the DSCP value and IPsec encryption to the differentiated services (formerly ToS) field in the first word of the IP header. The typical first word of an IP header, with the default DSCP value, is 4500:

  • 4 for IPv4
  • 5 for a length of five words
  • 00 for the default DSCP value

You can change the packet's DSCP field for traffic initiating a session (forward) or reply traffic (reverse), and enable each direction separately and configure it in the security policy. Changes to DSCP values in a security policy affect new sessions. If you want traffic to use the new DSCP values immediately, clear all existing sessions.

You can also define DSCP values in a shared traffic shaper as a single value and a per-IP traffic shaper for forward and reverse directions.

Configure DSCP – CLI

config firewall policy

edit <policy_ID>

set diffserv-forward enable

set diffservcode-forward <DiffServ_value>

set diffserv-reverse enable

set diffservcode-rev <reverse_DiffServ_value>

next

end

For more information about DCSP commands, see the examples below and the CLI Reference. If you enable diffserv-forward and diffserv-reverse without setting the corresponding diffservcode-forward and diffservcode-rev values, the FortiGate sets the DSCP values to 000000.

DSCP examples

The following examples use the FortiGate and client PC configuration that is shown in the following diagram. The examples also use firewall-based DSCP configurations.

DSCP example 1

In this example, an ICMP ping is sent between User 1 and FortiGate B, through FortiGate A. On FortiGate B, DSCP is disabled.

FortiGate A is configured as follows:

config firewall policy

edit 2

set srcintf port6

set dstintf port3

set src addr all

set dstaddr all

set action accept

set schedule always

set service ALL

set diffserv-forward enable

set diffservcode-forward 101110

next

end

This means that FortiGate A changes the DSCP field for outgoing traffic. FortiGate A doesn't change the DSCP field for its reply traffic.

The binary DSCP values map to the following ToS field values (which you can see using a packet sniffer):

DSCP value

ToS value

000000

0x00

101110

This is the recommended DSCP value for Expedited Forwarding (EF)

0xb8

The following diagram shows the IP headers for the requests and replies by packet sniffers on the network interfaces on FortiGate A and FortiGate B, when an ICMP ping is sent between User 1 and User 2. The last two digits of each IP header are the ToS field, which contains the DSCP value.

DSCP example 2

In this example, an ICMP ping is sent between User 1 and FortiGate B, through FortiGate A. On FortiGate B, DSCP is disabled.

FortiGate A is configured as follows:

config firewall policy

edit 2

set srcintf port6

set dstintf port3

set src addr all

set dstaddr all

set action accept

set schedule always

set service ALL

set diffserv-forward enable

set diffservcode-forward 101110

set diffserv-rev enable

set diffservcode-rev 101111

next

end

This means that FortiGate A changes the DSCP field for both outgoing traffic and its reply traffic.

The binary DSCP values map to the following ToS field values:

DSCP value

ToS value

000000

0x00

101110

This is the recommended DSCP value for Expedited Forwarding (EF).

0xb8

101111

0xbc

The following diagram shows the IP headers for the requests and replies by packet sniffers on the network interfaces on FortiGate A and FortiGate B, when an ICMP ping is sent between User 1 and User 2. The last two digits of each IP header are the ToS field, which contains the DSCP value.

DSCP example 3

In this example, an ICMP ping is sent between User 1 and FortiGate B, through FortiGate A. On FortiGate A, DSCP is enabled for both traffic directions. On FortiGate B, DSCP is enabled for reply traffic only.

FortiGate A is configured as follows:

config firewall policy

edit 2

set srcintf port6

set dstintf port3

set src addr all

set dstaddr all

set action accept

set schedule always

set service ALL

set diffserv-forward enable

set diffservcode-forward 101110

set diffserv-rev enable

set diffservcode-rev 101111

next

end

FortiGate B is configured as follows:

config firewall policy

edit 2

set srcintf wan2

set dstintf internal

set src addr all

set dstaddr all

set action accept

set schedule always

set service ALL

set diffserv-rev enable

set diffservcode-rev 101101

next

end

This means that FortiGate A changes the DSCP field for both outgoing traffic and its reply traffic. FortiGate B changes the DSCP field for reply traffic only.

The binary DSCP values map to the following ToS field values:

DSCP value

ToS value

000000

0x00

101101

0xb4

101110

This is the recommended DSCP value for Expedited Forwarding (EF).

0xb8

101111

0xbc

The following diagram shows the IP headers for the requests and replies by packet sniffers on the network interfaces on FortiGate A and FortiGate B, when an ICMP ping is sent between User 1 and User 2. The last two digits of each IP header are the ToS field, which contains the DSCP value.

DSCP example 4

In this example, HTTPS and DNS traffic is sent from User 1 to FortiGate B, through FortiGate A. On FortiGate A, DSCP is enabled for both traffic directions. On FortiGate B, DSCP is enabled for reply traffic only.

FortiGate A is configured as follows:

config firewall policy

edit 2

set srcintf port6

set dstintf port3

set src addr all

set dstaddr all

set action accept

set schedule always

set service ALL

set diffserv-forward enable

set diffservcode-forward 101110

set diffserv-rev enable

set diffservcode-rev 101111

next

end

FortiGate B is configured as follows:

config firewall policy

edit 2

set srcintf wan2

set dstintf internal

set src addr all

set dstaddr all

set action accept

set schedule always

set service ALL

set diffserv-rev enable

set diffservcode-rev 101101

next

end

This means that FortiGate A changes the DSCP field for both outgoing traffic and its reply traffic. FortiGate B changes the DSCP field only for reply traffic that passes through its internal interface. Since the traffic in the example doesn't pass through the internal interface, FortiGate B doesn't mark the packets.

The binary DSCP values map to the following ToS field values:

DSCP value

ToS value

000000

0x00

101101

This DSCP value is configured on FortiGate B but isn't observed by the packet sniffer because, in this example, the traffic originates from the FortiGate itself and therefore doesn't match that security policy.

0xb4

101110

This is the recommended DSCP value for Expedited Forwarding (EF).

0xb8

101111

0xbc

The following diagram shows the IP headers for the requests and replies by packet sniffers on the network interfaces on FortiGate A and FortiGate B, when HTTPS or DNS traffic is sent from User 1 to FortiGate B. The last two digits of each IP header are the ToS field, which contains the DSCP value.

Configuring differentiated services

Differentiated services (DiffServ) describes a set of end-to-end Quality of Service (QoS) capabilities. End-to-end QoS is the ability of a network to deliver service required by specific network traffic from one end of the network to the other. By configuring differentiated services, you configure your network to deliver specific levels of service for different packets, based on the QoS specified by each packet. DiffServ is defined by RFC 2474 and 2475 as enhancements to IP networking to enable scalable service discrimination in the IP network without the need for per-flow state and signaling at every hop. Routers that can understand differentiated services sort IP traffic into classes by inspecting the DS field in IPv4 header or the Traffic Class field in the IPv6 header.

You can use the DiffServ feature on a FortiGate to change the DSCP (Differentiated Services Code Point) value for all packets that a policy accepts. The network can use these DSCP values to classify, mark, shape, and police traffic, and to perform intelligent queuing. DSCP features are applied to traffic by configuring the routers on your network to apply different service levels to packets, depending on the DSCP value of the packet. If you don't enable the DiffServ feature, the FortiGate treats traffic as though the DSCP value is set to the default (00) and doesn't change the DSCP field of IP packets. Also, DSCP values aren't applied to traffic if the traffic originates from the FortiGate.

The FortiGate applies the DSCP value and IPsec encryption to the differentiated services (formerly ToS) field in the first word of the IP header. The typical first word of an IP header, with the default DSCP value, is 4500:

  • 4 for IPv4
  • 5 for a length of five words
  • 00 for the default DSCP value

You can change the packet's DSCP field for traffic initiating a session (forward) or reply traffic (reverse), and enable each direction separately and configure it in the security policy. Changes to DSCP values in a security policy affect new sessions. If you want traffic to use the new DSCP values immediately, clear all existing sessions.

You can also define DSCP values in a shared traffic shaper as a single value and a per-IP traffic shaper for forward and reverse directions.

Configure DSCP – CLI

config firewall policy

edit <policy_ID>

set diffserv-forward enable

set diffservcode-forward <DiffServ_value>

set diffserv-reverse enable

set diffservcode-rev <reverse_DiffServ_value>

next

end

For more information about DCSP commands, see the examples below and the CLI Reference. If you enable diffserv-forward and diffserv-reverse without setting the corresponding diffservcode-forward and diffservcode-rev values, the FortiGate sets the DSCP values to 000000.

DSCP examples

The following examples use the FortiGate and client PC configuration that is shown in the following diagram. The examples also use firewall-based DSCP configurations.

DSCP example 1

In this example, an ICMP ping is sent between User 1 and FortiGate B, through FortiGate A. On FortiGate B, DSCP is disabled.

FortiGate A is configured as follows:

config firewall policy

edit 2

set srcintf port6

set dstintf port3

set src addr all

set dstaddr all

set action accept

set schedule always

set service ALL

set diffserv-forward enable

set diffservcode-forward 101110

next

end

This means that FortiGate A changes the DSCP field for outgoing traffic. FortiGate A doesn't change the DSCP field for its reply traffic.

The binary DSCP values map to the following ToS field values (which you can see using a packet sniffer):

DSCP value

ToS value

000000

0x00

101110

This is the recommended DSCP value for Expedited Forwarding (EF)

0xb8

The following diagram shows the IP headers for the requests and replies by packet sniffers on the network interfaces on FortiGate A and FortiGate B, when an ICMP ping is sent between User 1 and User 2. The last two digits of each IP header are the ToS field, which contains the DSCP value.

DSCP example 2

In this example, an ICMP ping is sent between User 1 and FortiGate B, through FortiGate A. On FortiGate B, DSCP is disabled.

FortiGate A is configured as follows:

config firewall policy

edit 2

set srcintf port6

set dstintf port3

set src addr all

set dstaddr all

set action accept

set schedule always

set service ALL

set diffserv-forward enable

set diffservcode-forward 101110

set diffserv-rev enable

set diffservcode-rev 101111

next

end

This means that FortiGate A changes the DSCP field for both outgoing traffic and its reply traffic.

The binary DSCP values map to the following ToS field values:

DSCP value

ToS value

000000

0x00

101110

This is the recommended DSCP value for Expedited Forwarding (EF).

0xb8

101111

0xbc

The following diagram shows the IP headers for the requests and replies by packet sniffers on the network interfaces on FortiGate A and FortiGate B, when an ICMP ping is sent between User 1 and User 2. The last two digits of each IP header are the ToS field, which contains the DSCP value.

DSCP example 3

In this example, an ICMP ping is sent between User 1 and FortiGate B, through FortiGate A. On FortiGate A, DSCP is enabled for both traffic directions. On FortiGate B, DSCP is enabled for reply traffic only.

FortiGate A is configured as follows:

config firewall policy

edit 2

set srcintf port6

set dstintf port3

set src addr all

set dstaddr all

set action accept

set schedule always

set service ALL

set diffserv-forward enable

set diffservcode-forward 101110

set diffserv-rev enable

set diffservcode-rev 101111

next

end

FortiGate B is configured as follows:

config firewall policy

edit 2

set srcintf wan2

set dstintf internal

set src addr all

set dstaddr all

set action accept

set schedule always

set service ALL

set diffserv-rev enable

set diffservcode-rev 101101

next

end

This means that FortiGate A changes the DSCP field for both outgoing traffic and its reply traffic. FortiGate B changes the DSCP field for reply traffic only.

The binary DSCP values map to the following ToS field values:

DSCP value

ToS value

000000

0x00

101101

0xb4

101110

This is the recommended DSCP value for Expedited Forwarding (EF).

0xb8

101111

0xbc

The following diagram shows the IP headers for the requests and replies by packet sniffers on the network interfaces on FortiGate A and FortiGate B, when an ICMP ping is sent between User 1 and User 2. The last two digits of each IP header are the ToS field, which contains the DSCP value.

DSCP example 4

In this example, HTTPS and DNS traffic is sent from User 1 to FortiGate B, through FortiGate A. On FortiGate A, DSCP is enabled for both traffic directions. On FortiGate B, DSCP is enabled for reply traffic only.

FortiGate A is configured as follows:

config firewall policy

edit 2

set srcintf port6

set dstintf port3

set src addr all

set dstaddr all

set action accept

set schedule always

set service ALL

set diffserv-forward enable

set diffservcode-forward 101110

set diffserv-rev enable

set diffservcode-rev 101111

next

end

FortiGate B is configured as follows:

config firewall policy

edit 2

set srcintf wan2

set dstintf internal

set src addr all

set dstaddr all

set action accept

set schedule always

set service ALL

set diffserv-rev enable

set diffservcode-rev 101101

next

end

This means that FortiGate A changes the DSCP field for both outgoing traffic and its reply traffic. FortiGate B changes the DSCP field only for reply traffic that passes through its internal interface. Since the traffic in the example doesn't pass through the internal interface, FortiGate B doesn't mark the packets.

The binary DSCP values map to the following ToS field values:

DSCP value

ToS value

000000

0x00

101101

This DSCP value is configured on FortiGate B but isn't observed by the packet sniffer because, in this example, the traffic originates from the FortiGate itself and therefore doesn't match that security policy.

0xb4

101110

This is the recommended DSCP value for Expedited Forwarding (EF).

0xb8

101111

0xbc

The following diagram shows the IP headers for the requests and replies by packet sniffers on the network interfaces on FortiGate A and FortiGate B, when HTTPS or DNS traffic is sent from User 1 to FortiGate B. The last two digits of each IP header are the ToS field, which contains the DSCP value.