Fortinet white logo
Fortinet white logo

New Features

DSCP Matching (Shaping)

DSCP Matching (Shaping)

This feature has three parts:

DSCP matching in firewall policies

Traffic is allowed or blocked according to the DSCP values in the incoming packets.

The following CLI variables are added to the config firewall policy command:

tos-mask <mask_value>

Non-zero bit positions are used for comparison. Zero bit positions are ignored (default = 0x00).

This variable replaces the dscp-match variable.

tos <tos_value>

Type of Service (ToC) value that is used for comparison (default = 0x00). This variable is only available when tos-mask is not zero.

This variable replaces the dscp-value variable.

tos-negate {enable | disable}

Enable/disable negated ToS match (default = disable). This variable is only available when tos-mask is not zero.

This variable replaces the dscp-negate variable.

DSCP matching in firewall shaping policies

Shaping is applied to the session or not according to the DSCP values in the incoming packets. The same logic and commands as in firewall policies are used.

DSCP marking in firewall shaping policies

Traffic is allowed or blocked according to the DSCP values in the incoming packets. DSCP marking in firewall shaping policies uses the same logic and commands as in firewall policy and traffic-shaper.

When DSCP marking on firewall shaper traffic-shaper, firewall shaping-policy, and firewall policy all apply to the same session, shaping-policy overrides policy, and shaper traffic-shaper overrides both shaping-policy and policy.

The following CLI variables in config firewall policy are used to mark the packets:

diffserv-forward {enable | disable}

Enable/disable changing a packet's DiffServ values to the value specified in diffservcode-forward (default = disable).

diffservcode-forward <dscp_value>

The value that packet's DiffServ is set to (default = 000000). This variable is only available when diffserv-forward is enabled.

diffserv-reverse {enable | disable}

Enable/disable changing a packet's reverse (reply) DiffServ values to the value specified in diffservcode-rev (default = disable).

diffservcode-rev <dscp_value>

The value that packet's reverse (reply) DiffServ is set to (default = 000000). This variable is only available when diffserv-rev is enabled.

Examples

Example 1

FortiGate A marks traffic from the sales and QA teams with different DSCP values. FortiGate B does DSCP matching, allowing only the sales team to access the database.

  1. Configure FortiGate A:
    config firewall policy
        edit 1
            set srcintf "port2"
            set dstintf "port3"
            set srcaddr "QA"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set diffserv-forward enableset diffservcode-forward 110000
            set nat enable
        next
    
        edit 5
            set srcintf "port2"
            set dstintf "port3"
            set srcaddr "Sales"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set diffserv-forward enableset diffservcode-forward 111011
            set nat enable
        next
    end
  2. Configure FortiGate B:
    config firewall policy
        edit 2
            set srcintf "port3"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "Database"
            set action accept
            set schedule "always"
            set service "ALL"
            set tos-mask 0xf0set tos 0xe0
            set fsso disable
            set nat enable
        next
    end

Example 2

FortiGate A marks traffic from the sales and QA teams with different DSCP values. FortiGate B uses a firewall shaping policy to do the DSCP matching, limiting the connection speed of the sales team to the database to 10MB/s.

  1. Configure FortiGate A:
    config firewall policy
        edit 1
            set srcintf "port2"
            set dstintf "port3"
            set srcaddr "QA"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set diffserv-forward enableset diffservcode-forward 110000
            set nat enable
        next
    
        edit 5
            set srcintf "port2"
            set dstintf "port3"
            set srcaddr "Sales"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set diffserv-forward enableset diffservcode-forward 111011
            set nat enable
        next
    end
  2. Configure FortiGate B:
    config firewall policy
        edit 2
            set srcintf "port3"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set nat enable
        next
    end
    
    config firewall shaper traffic-shaper
        edit "10MB/s"
            set guaranteed-bandwidth 60000
            set maximum-bandwidth 80000
        next
    end
    
    config firewall shaping-policy
        edit 1
            set service "ALL"
            set dstintf "port1"
            set tos-mask 0xf0set tos 0xe0
            set traffic-shaper "10MB/s"
            set srcaddr "all"
            set dstaddr "all"
        next
    end

Example 3

FortiGate A has a traffic shaping policy to mark traffic from the QA team with a DSCP value of 100000, while reverse traffic is marked with 000011.

  1. Configure FortiGate A:
    config firewall shaping-policy
        edit 1
            set name "QA Team 50MB"
            set service "ALL"
            set dstintf "port3"
            set traffic-shaper "50MB/s"
            set traffic-shaper-reverse "50MB/s"
            set diffserv-forward enable
            set diffserv-reverse enable
            set srcaddr "QA"
            set dstaddr "all"
            set diffservcode-forward 100000set diffservcode-rev 000011
        next
    end

Related Videos

sidebar video

Differentiated Services Code Point Matching in Shaping policies

  • 803 views
  • 5 years ago

DSCP Matching (Shaping)

DSCP Matching (Shaping)

This feature has three parts:

DSCP matching in firewall policies

Traffic is allowed or blocked according to the DSCP values in the incoming packets.

The following CLI variables are added to the config firewall policy command:

tos-mask <mask_value>

Non-zero bit positions are used for comparison. Zero bit positions are ignored (default = 0x00).

This variable replaces the dscp-match variable.

tos <tos_value>

Type of Service (ToC) value that is used for comparison (default = 0x00). This variable is only available when tos-mask is not zero.

This variable replaces the dscp-value variable.

tos-negate {enable | disable}

Enable/disable negated ToS match (default = disable). This variable is only available when tos-mask is not zero.

This variable replaces the dscp-negate variable.

DSCP matching in firewall shaping policies

Shaping is applied to the session or not according to the DSCP values in the incoming packets. The same logic and commands as in firewall policies are used.

DSCP marking in firewall shaping policies

Traffic is allowed or blocked according to the DSCP values in the incoming packets. DSCP marking in firewall shaping policies uses the same logic and commands as in firewall policy and traffic-shaper.

When DSCP marking on firewall shaper traffic-shaper, firewall shaping-policy, and firewall policy all apply to the same session, shaping-policy overrides policy, and shaper traffic-shaper overrides both shaping-policy and policy.

The following CLI variables in config firewall policy are used to mark the packets:

diffserv-forward {enable | disable}

Enable/disable changing a packet's DiffServ values to the value specified in diffservcode-forward (default = disable).

diffservcode-forward <dscp_value>

The value that packet's DiffServ is set to (default = 000000). This variable is only available when diffserv-forward is enabled.

diffserv-reverse {enable | disable}

Enable/disable changing a packet's reverse (reply) DiffServ values to the value specified in diffservcode-rev (default = disable).

diffservcode-rev <dscp_value>

The value that packet's reverse (reply) DiffServ is set to (default = 000000). This variable is only available when diffserv-rev is enabled.

Examples

Example 1

FortiGate A marks traffic from the sales and QA teams with different DSCP values. FortiGate B does DSCP matching, allowing only the sales team to access the database.

  1. Configure FortiGate A:
    config firewall policy
        edit 1
            set srcintf "port2"
            set dstintf "port3"
            set srcaddr "QA"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set diffserv-forward enableset diffservcode-forward 110000
            set nat enable
        next
    
        edit 5
            set srcintf "port2"
            set dstintf "port3"
            set srcaddr "Sales"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set diffserv-forward enableset diffservcode-forward 111011
            set nat enable
        next
    end
  2. Configure FortiGate B:
    config firewall policy
        edit 2
            set srcintf "port3"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "Database"
            set action accept
            set schedule "always"
            set service "ALL"
            set tos-mask 0xf0set tos 0xe0
            set fsso disable
            set nat enable
        next
    end

Example 2

FortiGate A marks traffic from the sales and QA teams with different DSCP values. FortiGate B uses a firewall shaping policy to do the DSCP matching, limiting the connection speed of the sales team to the database to 10MB/s.

  1. Configure FortiGate A:
    config firewall policy
        edit 1
            set srcintf "port2"
            set dstintf "port3"
            set srcaddr "QA"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set diffserv-forward enableset diffservcode-forward 110000
            set nat enable
        next
    
        edit 5
            set srcintf "port2"
            set dstintf "port3"
            set srcaddr "Sales"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set diffserv-forward enableset diffservcode-forward 111011
            set nat enable
        next
    end
  2. Configure FortiGate B:
    config firewall policy
        edit 2
            set srcintf "port3"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set nat enable
        next
    end
    
    config firewall shaper traffic-shaper
        edit "10MB/s"
            set guaranteed-bandwidth 60000
            set maximum-bandwidth 80000
        next
    end
    
    config firewall shaping-policy
        edit 1
            set service "ALL"
            set dstintf "port1"
            set tos-mask 0xf0set tos 0xe0
            set traffic-shaper "10MB/s"
            set srcaddr "all"
            set dstaddr "all"
        next
    end

Example 3

FortiGate A has a traffic shaping policy to mark traffic from the QA team with a DSCP value of 100000, while reverse traffic is marked with 000011.

  1. Configure FortiGate A:
    config firewall shaping-policy
        edit 1
            set name "QA Team 50MB"
            set service "ALL"
            set dstintf "port3"
            set traffic-shaper "50MB/s"
            set traffic-shaper-reverse "50MB/s"
            set diffserv-forward enable
            set diffserv-reverse enable
            set srcaddr "QA"
            set dstaddr "all"
            set diffservcode-forward 100000set diffservcode-rev 000011
        next
    end