Fortinet black logo

New Features

Home FortiGate / FortiOS 7.2.0 New Features

Add NetFlow fields to identify class of service

7.2.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0
Copy Link
Copy Doc ID 77966226-6996-11ec-bdf2-fa163e15d75b:602396
Download PDF

Add NetFlow fields to identify class of service

The new Netflow fields, ipClassOfService and postIpClassOfService, for identifying class of service in traffic flows are supported in FortiOS. The FortiGate reads the TOS(IPv4)/Traffic Class(IPv6) fields from the first packet of incoming traffic flow for the ipClassOfService value, and the first packet of outgoing traffic flow for postIpClassOfService value. These fields were added to NetFlow template ID 262.

Example

In this example, a device behind the downstream FortiGate sends traffic to a device behind the upstream FortiGate. In the direction of downstream FortiGate > root FortiGate > upstream FortiGate, the downstream FortiGate tags the traffic with DSCP 110000. The downstream FortiGate pads two 00s to the 6-bit binary to produce the TOS value of 11000000, which equals 0xc0 in hexadecimal. The flow in that direction will have an ipClassOfService/IP_TOS (TOS value of first inbound packet) of 0xc0, and a postIpClassOfService/DST_TOS (TOS value of first outbound) of the same 0xc0 value.

In the opposite direction, a device behind the upstream FortiGate sends traffic to device the downstream FortiGate. In the direction of upstream FortiGate > root FortiGate > downstream FortiGate, the upstream FortiGate tags the traffic with DSCP 111000. The upstream FortiGate pads two 00s to the 6-bit binary to produce the TOS value of 11100000, which equals 0xe0 in hexadecimal. The flow in that direction will have an ipClassOfService/IP_TOS (TOS value of first inbound packet) of 0xe0, and a postIpClassOfService/DST_TOS (TOS value of first outbound) of the same 0xe0 value.

Wireshark is used to analyze the packets. For more information about configuring NetFlow in FortiOS, refer to the Administration Guide.

Wireshark captures

In the following capture of the NetFlow packet sent from the FortiGate to the NetFlow collector:

  • The FortiGate sends NetFlow data template IDs 258 to 269, and option template IDs 256 and 257 to the NetFlow collector containing the fields in each template (see NetFlow templates for more information).

  • Inside data template ID 262, two new fields are added, which correspond to field numbers 13 and 14 of the template.

    Field #

    Type

    Element ID

    13

    IP_TOS/ipClassOfService

    5

    14

    DST_TOS/postIpClassOfService

    55

Refer to IP Flow Information Export (IPFIX) Entities for more information.

The following capture shows two flow sets corresponding to each traffic direction. Each flow set has the TOS value corresponding to the DSCP tag applied in that direction: 0xc0 for downstream FortiGate > root FortiGate > upstream FortiGate, and 0xe0 for upstream FortiGate > root FortiGate > downstream FortiGate.

Previous
Next

Add NetFlow fields to identify class of service

The new Netflow fields, ipClassOfService and postIpClassOfService, for identifying class of service in traffic flows are supported in FortiOS. The FortiGate reads the TOS(IPv4)/Traffic Class(IPv6) fields from the first packet of incoming traffic flow for the ipClassOfService value, and the first packet of outgoing traffic flow for postIpClassOfService value. These fields were added to NetFlow template ID 262.

Example

In this example, a device behind the downstream FortiGate sends traffic to a device behind the upstream FortiGate. In the direction of downstream FortiGate > root FortiGate > upstream FortiGate, the downstream FortiGate tags the traffic with DSCP 110000. The downstream FortiGate pads two 00s to the 6-bit binary to produce the TOS value of 11000000, which equals 0xc0 in hexadecimal. The flow in that direction will have an ipClassOfService/IP_TOS (TOS value of first inbound packet) of 0xc0, and a postIpClassOfService/DST_TOS (TOS value of first outbound) of the same 0xc0 value.

In the opposite direction, a device behind the upstream FortiGate sends traffic to device the downstream FortiGate. In the direction of upstream FortiGate > root FortiGate > downstream FortiGate, the upstream FortiGate tags the traffic with DSCP 111000. The upstream FortiGate pads two 00s to the 6-bit binary to produce the TOS value of 11100000, which equals 0xe0 in hexadecimal. The flow in that direction will have an ipClassOfService/IP_TOS (TOS value of first inbound packet) of 0xe0, and a postIpClassOfService/DST_TOS (TOS value of first outbound) of the same 0xe0 value.

Wireshark is used to analyze the packets. For more information about configuring NetFlow in FortiOS, refer to the Administration Guide.

Wireshark captures

In the following capture of the NetFlow packet sent from the FortiGate to the NetFlow collector:

  • The FortiGate sends NetFlow data template IDs 258 to 269, and option template IDs 256 and 257 to the NetFlow collector containing the fields in each template (see NetFlow templates for more information).

  • Inside data template ID 262, two new fields are added, which correspond to field numbers 13 and 14 of the template.

    Field #

    Type

    Element ID

    13

    IP_TOS/ipClassOfService

    5

    14

    DST_TOS/postIpClassOfService

    55

Refer to IP Flow Information Export (IPFIX) Entities for more information.

The following capture shows two flow sets corresponding to each traffic direction. Each flow set has the TOS value corresponding to the DSCP tag applied in that direction: 0xc0 for downstream FortiGate > root FortiGate > upstream FortiGate, and 0xe0 for upstream FortiGate > root FortiGate > downstream FortiGate.

Previous
Next