Configuring differentiated services
Differentiated services (DiffServ) describes a set of end-to-end Quality of Service (QoS) capabilities. End-to-end QoS is the ability of a network to deliver service required by specific network traffic from one end of the network to the other. By configuring differentiated services, you configure your network to deliver specific levels of service for different packets, based on the QoS specified by each packet. DiffServ is defined by RFC 2474 and 2475 as enhancements to IP networking to enable scalable service discrimination in the IP network without the need for per-flow state and signaling at every hop. Routers that can understand differentiated services sort IP traffic into classes by inspecting the DS field in IPv4 header or the Traffic Class field in the IPv6 header.
You can use the DiffServ feature on a FortiGate to change the DSCP (Differentiated Services Code Point) value for all packets that a policy accepts. The network can use these DSCP values to classify, mark, shape, and police traffic, and to perform intelligent queuing. DSCP features are applied to traffic by configuring the routers on your network to apply different service levels to packets, depending on the DSCP value of the packet. If you don't enable the DiffServ feature, the FortiGate treats traffic as though the DSCP value is set to the default (00) and doesn't change the DSCP field of IP packets. Also, DSCP values aren't applied to traffic if the traffic originates from the FortiGate.
The FortiGate applies the DSCP value and IPsec encryption to the differentiated services (formerly ToS) field in the first word of the IP header. The typical first word of an IP header, with the default DSCP value, is 4500:
- 4 for IPv4
- 5 for a length of five words
- 00 for the default DSCP value
You can change the packet's DSCP field for traffic initiating a session (forward) or reply traffic (reverse), and enable each direction separately and configure it in the security policy. Changes to DSCP values in a security policy affect new sessions. If you want traffic to use the new DSCP values immediately, clear all existing sessions.
You can also define DSCP values in a shared traffic shaper as a single value and a per-IP traffic shaper for forward and reverse directions.
Configure DSCP – CLI
config firewall policy
edit <policy_ID>
set diffserv-forward enable
set diffservcode-forward <DiffServ_value>
set diffserv-reverse enable
set diffservcode-rev <reverse_DiffServ_value>
next
end
For more information about DCSP commands, see the examples below and the CLI Reference. If you enable diffserv-forward
and diffserv-reverse
without setting the corresponding diffservcode-forward
and diffservcode-rev
values, the FortiGate sets the DSCP values to 000000
.
DSCP examples
The following examples use the FortiGate and client PC configuration that is shown in the following diagram. The examples also use firewall-based DSCP configurations.
DSCP example 1
In this example, an ICMP ping is sent between User 1 and FortiGate B, through FortiGate A. On FortiGate B, DSCP is disabled.
FortiGate A is configured as follows:
config firewall policy
edit 2
set srcintf port6
set dstintf port3
set src addr all
set dstaddr all
set action accept
set schedule always
set service ALL
set diffserv-forward enable
set diffservcode-forward 101110
next
end
This means that FortiGate A changes the DSCP field for outgoing traffic. FortiGate A doesn't change the DSCP field for its reply traffic.
The binary DSCP values map to the following ToS field values (which you can see using a packet sniffer):
DSCP value | ToS value |
---|---|
000000 | 0x00 |
101110 This is the recommended DSCP value for Expedited Forwarding (EF) | 0xb8 |
The following diagram shows the IP headers for the requests and replies by packet sniffers on the network interfaces on FortiGate A and FortiGate B, when an ICMP ping is sent between User 1 and User 2. The last two digits of each IP header are the ToS field, which contains the DSCP value.
DSCP example 2
In this example, an ICMP ping is sent between User 1 and FortiGate B, through FortiGate A. On FortiGate B, DSCP is disabled.
FortiGate A is configured as follows:
config firewall policy
edit 2
set srcintf port6
set dstintf port3
set src addr all
set dstaddr all
set action accept
set schedule always
set service ALL
set diffserv-forward enable
set diffservcode-forward 101110
set diffserv-rev enable
set diffservcode-rev 101111
next
end
This means that FortiGate A changes the DSCP field for both outgoing traffic and its reply traffic.
The binary DSCP values map to the following ToS field values:
DSCP value | ToS value |
---|---|
000000 | 0x00 |
101110 This is the recommended DSCP value for Expedited Forwarding (EF). | 0xb8 |
101111 | 0xbc |
The following diagram shows the IP headers for the requests and replies by packet sniffers on the network interfaces on FortiGate A and FortiGate B, when an ICMP ping is sent between User 1 and User 2. The last two digits of each IP header are the ToS field, which contains the DSCP value.
DSCP example 3
In this example, an ICMP ping is sent between User 1 and FortiGate B, through FortiGate A. On FortiGate A, DSCP is enabled for both traffic directions. On FortiGate B, DSCP is enabled for reply traffic only.
FortiGate A is configured as follows:
config firewall policy
edit 2
set srcintf port6
set dstintf port3
set src addr all
set dstaddr all
set action accept
set schedule always
set service ALL
set diffserv-forward enable
set diffservcode-forward 101110
set diffserv-rev enable
set diffservcode-rev 101111
next
end
FortiGate B is configured as follows:
config firewall policy
edit 2
set srcintf wan2
set dstintf internal
set src addr all
set dstaddr all
set action accept
set schedule always
set service ALL
set diffserv-rev enable
set diffservcode-rev 101101
next
end
This means that FortiGate A changes the DSCP field for both outgoing traffic and its reply traffic. FortiGate B changes the DSCP field for reply traffic only.
The binary DSCP values map to the following ToS field values:
DSCP value | ToS value |
---|---|
000000 | 0x00 |
101101 | 0xb4 |
101110 This is the recommended DSCP value for Expedited Forwarding (EF). | 0xb8 |
101111 | 0xbc |
The following diagram shows the IP headers for the requests and replies by packet sniffers on the network interfaces on FortiGate A and FortiGate B, when an ICMP ping is sent between User 1 and User 2. The last two digits of each IP header are the ToS field, which contains the DSCP value.
DSCP example 4
In this example, HTTPS and DNS traffic is sent from User 1 to FortiGate B, through FortiGate A. On FortiGate A, DSCP is enabled for both traffic directions. On FortiGate B, DSCP is enabled for reply traffic only.
FortiGate A is configured as follows:
config firewall policy
edit 2
set srcintf port6
set dstintf port3
set src addr all
set dstaddr all
set action accept
set schedule always
set service ALL
set diffserv-forward enable
set diffservcode-forward 101110
set diffserv-rev enable
set diffservcode-rev 101111
next
end
FortiGate B is configured as follows:
config firewall policy
edit 2
set srcintf wan2
set dstintf internal
set src addr all
set dstaddr all
set action accept
set schedule always
set service ALL
set diffserv-rev enable
set diffservcode-rev 101101
next
end
This means that FortiGate A changes the DSCP field for both outgoing traffic and its reply traffic. FortiGate B changes the DSCP field only for reply traffic that passes through its internal interface. Since the traffic in the example doesn't pass through the internal interface, FortiGate B doesn't mark the packets.
The binary DSCP values map to the following ToS field values:
DSCP value | ToS value |
---|---|
000000 | 0x00 |
101101 This DSCP value is configured on FortiGate B but isn't observed by the packet sniffer because, in this example, the traffic originates from the FortiGate itself and therefore doesn't match that security policy. | 0xb4 |
101110 This is the recommended DSCP value for Expedited Forwarding (EF). | 0xb8 |
101111 | 0xbc |
The following diagram shows the IP headers for the requests and replies by packet sniffers on the network interfaces on FortiGate A and FortiGate B, when HTTPS or DNS traffic is sent from User 1 to FortiGate B. The last two digits of each IP header are the ToS field, which contains the DSCP value.