DSCP matching (shaping)

This feature has three parts:

• DSCP matching in firewall policies
• DSCP matching in firewall shaping policies
• DSCP marking in firewall shaping policies

DSCP matching in firewall policies

Traffic is allowed or blocked according to the DSCP values in the incoming packets.

The following CLI variables are available in the config firewall policy command:

tos-mask <mask_value>	Non-zero bit positions are used for comparison. Zero bit positions are ignored (default = 0x00). This variable replaces the dscp-match variable.
tos <tos_value>	Type of Service (ToC) value that is used for comparison (default = 0x00). This variable is only available when tos-mask is not zero. This variable replaces the dscp-value variable.
tos-negate {enable | disable}	Enable/disable negated ToS match (default = disable). This variable is only available when tos-mask is not zero. This variable replaces the dscp-negate variable.

DSCP matching in firewall shaping policies

Shaping is applied to the session or not according to the DSCP values in the incoming packets. The same logic and commands as in firewall policies are used.

DSCP marking in firewall shaping policies

Traffic is allowed or blocked according to the DSCP values in the incoming packets. DSCP marking in firewall shaping policies uses the same logic and commands as in firewall policy and traffic-shaper.

When DSCP marking on firewall shaper traffic-shaper, firewall shaping-policy, and firewall policy all apply to the same session, shaping-policy overrides policy, and shaper traffic-shaper overrides both shaping-policy and policy.

The following CLI variables in config firewall policy are used to mark the packets:

diffserv-forward {enable | disable}	Enable/disable changing a packet's DiffServ values to the value specified in diffservcode-forward (default = disable).
diffservcode-forward <dscp_value>	The value that packet's DiffServ is set to (default = 000000). This variable is only available when diffserv-forward is enabled.
diffserv-reverse {enable | disable}	Enable/disable changing a packet's reverse (reply) DiffServ values to the value specified in diffservcode-rev (default = disable).
diffservcode-rev <dscp_value>	The value that packet's reverse (reply) DiffServ is set to (default = 000000). This variable is only available when diffserv-rev is enabled.

Examples

Example 1

FortiGate A marks traffic from the sales and QA teams with different DSCP values. FortiGate B does DSCP matching, allowing only the sales team to access the database.

1. Configure FortiGate A:

   config firewall policy
       edit 1
           set srcintf "port2"
           set dstintf "port3"
           set srcaddr "QA"
           set dstaddr "all"
           set action accept
           set schedule "always"
           set service "ALL"
           set diffserv-forward enableset diffservcode-forward 110000
           set nat enable
       next
   
       edit 5
           set srcintf "port2"
           set dstintf "port3"
           set srcaddr "Sales"
           set dstaddr "all"
           set action accept
           set schedule "always"
           set service "ALL"
           set diffserv-forward enableset diffservcode-forward 111011
           set nat enable
       next
   end

2. Configure FortiGate B:

   config firewall policy
       edit 2
           set srcintf "port3"
           set dstintf "port1"
           set srcaddr "all"
           set dstaddr "Database"
           set action accept
           set schedule "always"
           set service "ALL"
           set tos-mask 0xf0set tos 0xe0
           set fsso disable
           set nat enable
       next
   end

Example 2

FortiGate A marks traffic from the sales and QA teams with different DSCP values. FortiGate B uses a firewall shaping policy to do the DSCP matching, limiting the connection speed of the sales team to the database to 10MB/s.

1. Configure FortiGate A:

   config firewall policy
       edit 1
           set srcintf "port2"
           set dstintf "port3"
           set srcaddr "QA"
           set dstaddr "all"
           set action accept
           set schedule "always"
           set service "ALL"
           set diffserv-forward enableset diffservcode-forward 110000
           set nat enable
       next
   
       edit 5
           set srcintf "port2"
           set dstintf "port3"
           set srcaddr "Sales"
           set dstaddr "all"
           set action accept
           set schedule "always"
           set service "ALL"
           set diffserv-forward enableset diffservcode-forward 111011
           set nat enable
       next
   end

2. Configure FortiGate B:

   config firewall policy
       edit 2
           set srcintf "port3"
           set dstintf "port1"
           set srcaddr "all"
           set dstaddr "all"
           set action accept
           set schedule "always"
           set service "ALL"
           set nat enable
       next
   end
   
   config firewall shaper traffic-shaper
       edit "10MB/s"
           set guaranteed-bandwidth 60000
           set maximum-bandwidth 80000
       next
   end
   
   config firewall shaping-policy
       edit 1
           set service "ALL"
           set dstintf "port1"
           set tos-mask 0xf0set tos 0xe0
           set traffic-shaper "10MB/s"
           set srcaddr "all"
           set dstaddr "all"
       next
   end

Example 3

FortiGate A has a traffic shaping policy to mark traffic from the QA team with a DSCP value of 100000, while reverse traffic is marked with 000011.

1. Configure FortiGate A:

   config firewall shaping-policy
       edit 1
           set name "QA Team 50MB"
           set service "ALL"
           set dstintf "port3"
           set traffic-shaper "50MB/s"
           set traffic-shaper-reverse "50MB/s"
           set diffserv-forward enable
           set diffserv-reverse enable
           set srcaddr "QA"
           set dstaddr "all"
           set diffservcode-forward 100000set diffservcode-rev 000011
       next
   end