DSCP Matching (Shaping)
This feature has three parts:
- DSCP matching in firewall policies
- DSCP matching in firewall shaping policies
- DSCP marking in firewall shaping policies
DSCP matching in firewall policies
Traffic is allowed or blocked according to the DSCP values in the incoming packets.
The following CLI variables are added to the config firewall policy
command:
tos-mask <mask_value> |
Non-zero bit positions are used for comparison. Zero bit positions are ignored (default = 0x00). This variable replaces the |
tos <tos_value> |
Type of Service (ToC) value that is used for comparison (default = 0x00). This variable is only available when This variable replaces the |
tos-negate {enable | disable} |
Enable/disable negated ToS match (default = disable). This variable is only available when This variable replaces the |
DSCP matching in firewall shaping policies
Shaping is applied to the session or not according to the DSCP values in the incoming packets. The same logic and commands as in firewall policies are used.
DSCP marking in firewall shaping policies
Traffic is allowed or blocked according to the DSCP values in the incoming packets. DSCP marking in firewall shaping policies uses the same logic and commands as in firewall policy and traffic-shaper.
When DSCP marking on firewall shaper traffic-shaper
, firewall shaping-policy
, and firewall policy
all apply to the same session, shaping-policy
overrides policy
, and shaper traffic-shaper
overrides both shaping-policy
and policy
.
The following CLI variables in config firewall policy
are used to mark the packets:
diffserv-forward {enable | disable} |
Enable/disable changing a packet's DiffServ values to the value specified in |
diffservcode-forward <dscp_value> |
The value that packet's DiffServ is set to (default = 000000). This variable is only available when |
diffserv-reverse {enable | disable} |
Enable/disable changing a packet's reverse (reply) DiffServ values to the value specified in |
diffservcode-rev <dscp_value> |
The value that packet's reverse (reply) DiffServ is set to (default = 000000). This variable is only available when |
Examples
Example 1
FortiGate A marks traffic from the sales and QA teams with different DSCP values. FortiGate B does DSCP matching, allowing only the sales team to access the database.
- Configure FortiGate A:
config firewall policy edit 1 set srcintf "port2" set dstintf "port3" set srcaddr "QA" set dstaddr "all" set action accept set schedule "always" set service "ALL" set diffserv-forward enableset diffservcode-forward 110000 set nat enable next edit 5 set srcintf "port2" set dstintf "port3" set srcaddr "Sales" set dstaddr "all" set action accept set schedule "always" set service "ALL" set diffserv-forward enableset diffservcode-forward 111011 set nat enable next end
- Configure FortiGate B:
config firewall policy edit 2 set srcintf "port3" set dstintf "port1" set srcaddr "all" set dstaddr "Database" set action accept set schedule "always" set service "ALL" set tos-mask 0xf0set tos 0xe0 set fsso disable set nat enable next end
Example 2
FortiGate A marks traffic from the sales and QA teams with different DSCP values. FortiGate B uses a firewall shaping policy to do the DSCP matching, limiting the connection speed of the sales team to the database to 10MB/s.
- Configure FortiGate A:
config firewall policy edit 1 set srcintf "port2" set dstintf "port3" set srcaddr "QA" set dstaddr "all" set action accept set schedule "always" set service "ALL" set diffserv-forward enableset diffservcode-forward 110000 set nat enable next edit 5 set srcintf "port2" set dstintf "port3" set srcaddr "Sales" set dstaddr "all" set action accept set schedule "always" set service "ALL" set diffserv-forward enableset diffservcode-forward 111011 set nat enable next end
- Configure FortiGate B:
config firewall policy edit 2 set srcintf "port3" set dstintf "port1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat enable next end config firewall shaper traffic-shaper edit "10MB/s" set guaranteed-bandwidth 60000 set maximum-bandwidth 80000 next end config firewall shaping-policy edit 1 set service "ALL" set dstintf "port1" set tos-mask 0xf0set tos 0xe0 set traffic-shaper "10MB/s" set srcaddr "all" set dstaddr "all" next end
Example 3
FortiGate A has a traffic shaping policy to mark traffic from the QA team with a DSCP value of 100000, while reverse traffic is marked with 000011.
- Configure FortiGate A:
config firewall shaping-policy edit 1 set name "QA Team 50MB" set service "ALL" set dstintf "port3" set traffic-shaper "50MB/s" set traffic-shaper-reverse "50MB/s" set diffserv-forward enable set diffserv-reverse enable set srcaddr "QA" set dstaddr "all" set diffservcode-forward 100000set diffservcode-rev 000011 next end