Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Cookbook

    6.2.10
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.0
    6.0.0
    5.6.0
    5.4.0

    Results

    Results

    The following sections show the function of the FortiGate and specifically of secure SD-WAN with respect to DSCP tagged traffic steering, and can be used to confirm that it is setup and running correctly:

    Verifying the DSCP tagged traffic on FortiGate

    To verify the incoming DSCP tagged traffic, we used packet sniffing and converting the sniffed traffic to a desired format. To know more about packet sniffing, refer to the Using the FortiOS built-in packet sniffer guide on the Fortinet Knowledge Base.

    For VoIP traffic that is marked with DSCP tag 0x70:

    FortiGate # diag sniffer packet any '(ip and ip[1] & 0xfc == 0x70)' 6 0 l

    We used the open-source packet analyzer Wireshark to verify that VoIP traffic is tagged with the 0x70 DSCP tag.

    DSCP tagged VoIP traffic analysis

    For web traffic marked with DSCP tag 0x30:

    FortiGate # diag sniffer packet any '(ip and ip[1] & 0xfc == 0x30)' 6 0 l

    We used the open-source packet analyzer Wireshark to verify that web traffic is tagged with the 0x30 DSCP tag.

    DSCP tagged VoIP traffic analysis

    Verifying service rules

    The following CLI commands show the appropriate DSCP tags and the corresponding interfaces selected by the SD-WAN rules to steer traffic:

    FortiGate # diag sys virtual-wan-link service

    Service(1): Address Mode(IPV4) flags=0x0

    TOS(0x70/0xf0), Protocol(0: 1->65535), Mode(priority), link-cost-factor(jitter), link-cost-threshold(10), health-check(Default_DNS)

    Service role: standalone

    Member sub interface:

    Members:

    1: Seq_num(4), alive, jitter: 0.624, selected

    2: Seq_num(3), alive, jitter: 0.643, selected

    Dst address:

    0.0.0.0-255.255.255.255

    Service(2): Address Mode(IPV4) flags=0x0

    TOS(0x30/0xf0), Protocol(0: 1->65535), Mode(manual)

    Service role: standalone

    Member sub interface:

    Members:

    1: Seq_num(2), alive, selected

    Dst address:

    0.0.0.0-255.255.255.255

    Service(3): Address Mode(IPV4) flags=0x0

    TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla)

    Service role: standalone

    Member sub interface:

    Members:

    1: Seq_num(1), alive, sla(0x1), cfg_order(0), cost(0), selected

    2: Seq_num(2), alive, sla(0x1), cfg_order(1), cost(10), selected

    Dst address:

    0.0.0.0-255.255.255.255

    Verifying steered traffic leaving the required interface

    Go to Dashboard > Top Policies to confirm that web traffic (port 443) flows through the right underlay interface members, and VoIP traffic flows through the right overlay interface member.

    Web traffic leaves either Interface_A(port1) or Interface_B(port5).

    Steered web traffic

    VoIP traffic leaves the preferred VPN_B_Tunnel(Branch-HQ-B) interface.

    Steered VoIP traffic

    Previous
    Next

    Results

    Results

    The following sections show the function of the FortiGate and specifically of secure SD-WAN with respect to DSCP tagged traffic steering, and can be used to confirm that it is setup and running correctly:

    Verifying the DSCP tagged traffic on FortiGate

    To verify the incoming DSCP tagged traffic, we used packet sniffing and converting the sniffed traffic to a desired format. To know more about packet sniffing, refer to the Using the FortiOS built-in packet sniffer guide on the Fortinet Knowledge Base.

    For VoIP traffic that is marked with DSCP tag 0x70:

    FortiGate # diag sniffer packet any '(ip and ip[1] & 0xfc == 0x70)' 6 0 l

    We used the open-source packet analyzer Wireshark to verify that VoIP traffic is tagged with the 0x70 DSCP tag.

    DSCP tagged VoIP traffic analysis

    For web traffic marked with DSCP tag 0x30:

    FortiGate # diag sniffer packet any '(ip and ip[1] & 0xfc == 0x30)' 6 0 l

    We used the open-source packet analyzer Wireshark to verify that web traffic is tagged with the 0x30 DSCP tag.

    DSCP tagged VoIP traffic analysis

    Verifying service rules

    The following CLI commands show the appropriate DSCP tags and the corresponding interfaces selected by the SD-WAN rules to steer traffic:

    FortiGate # diag sys virtual-wan-link service

    Service(1): Address Mode(IPV4) flags=0x0

    TOS(0x70/0xf0), Protocol(0: 1->65535), Mode(priority), link-cost-factor(jitter), link-cost-threshold(10), health-check(Default_DNS)

    Service role: standalone

    Member sub interface:

    Members:

    1: Seq_num(4), alive, jitter: 0.624, selected

    2: Seq_num(3), alive, jitter: 0.643, selected

    Dst address:

    0.0.0.0-255.255.255.255

    Service(2): Address Mode(IPV4) flags=0x0

    TOS(0x30/0xf0), Protocol(0: 1->65535), Mode(manual)

    Service role: standalone

    Member sub interface:

    Members:

    1: Seq_num(2), alive, selected

    Dst address:

    0.0.0.0-255.255.255.255

    Service(3): Address Mode(IPV4) flags=0x0

    TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla)

    Service role: standalone

    Member sub interface:

    Members:

    1: Seq_num(1), alive, sla(0x1), cfg_order(0), cost(0), selected

    2: Seq_num(2), alive, sla(0x1), cfg_order(1), cost(10), selected

    Dst address:

    0.0.0.0-255.255.255.255

    Verifying steered traffic leaving the required interface

    Go to Dashboard > Top Policies to confirm that web traffic (port 443) flows through the right underlay interface members, and VoIP traffic flows through the right overlay interface member.

    Web traffic leaves either Interface_A(port1) or Interface_B(port5).

    Steered web traffic

    VoIP traffic leaves the preferred VPN_B_Tunnel(Branch-HQ-B) interface.

    Steered VoIP traffic

    Previous
    Next