Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiGate / FortiOS 7.2.13 Administration Guide
    7.2.13
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.0

    Multi-stage DSCP marking and class ID in traffic shapers

    Multi-stage DSCP marking and class ID in traffic shapers

    Traffic shapers have a multi-stage method so that packets are marked with a different differentiated services code point (DSCP) and class id at different traffic speeds. Marking packets with a different DSCP code is for the next hop to classify the packets. The FortiGate benefits by marking packets with a different class id. Combined with the egress interface shaping profile, the FortiGate can handle the traffic differently according to its class id.

    Rule

    DSCP code

    Class ID

    speed < guarantee bandwidth

    diffservcode

    class id in shaping policy

    guarantee bandwidth < speed < exceed bandwidth

    exceed-dscp

    exceed-class-id

    exceed bandwidth < speed

    maximum-dscp

    exceed-class-id

    This example sets the following parameters:

    • When the current bandwidth is less than 50 Kbps, mark packets with diffservcode 100000 and set class id to 10.
    • When the current bandwidth is between 50 Kbps and 100 Kbps, mark packets with exceed-dscp 111000 and set exceed-class-id to 20.
    • When the current bandwidth is more than 100 Kbps, mark packets with maximum-dscp 111111 and set exceed-class-id to 20.
    To set multi-stage DSCP marking and class ID in a traffic shaper:
    config firewall shaper traffic-shaper
    edit "50k-100k-150k"
        set guaranteed-bandwidth 50
        set maximum-bandwidth 150
        set diffserv enable
        set dscp-marking-method multi-stage
        set exceed-bandwidth 100 
        set exceed-dscp 111000      
        set exceed-class-id 20
        set maximum-dscp 111111
        set diffservcode 100000
    next
end
    config firewall shaping-policy
     edit 1
         set service "ALL"
         set dstintf PORT2
         set srcaddr "all"
         set dstaddr "all"
         set class-id 10
     next
end

    Traffic shapers also have an overhead option that defines the per-packet size overhead used in rate computation.

    To set the traffic shaper overhead option:
    config firewall shaper traffic-shaper
    edit "testing"
        set guaranteed-bandwidth 50
        set maximum-bandwidth 150
        set overhead 14 <range from 0 to 100>
    next
end

    Example

    This example shows how to mark QA traffic with a different DSCP according to real-time traffic speed.

    To configure the firewall address:
    config firewall address
    edit QA_team
        set subnet 10.1.100.0/24
    next
end
    To configure the firewall shaper traffic shaper:
    config firewall shaper traffic-shaper
    edit "500k-1000k-1500k"
        set guaranteed-bandwidth 500
        set maximum-bandwidth 1500
        set diffserv enable
        set dscp-marking-method multi-stage
        set exceed-bandwidth 1000
        set exceed-dscp 111000
        set maximum-dscp 111111
        set diffservcode 100000
    next
end
    config firewall shaping-policy
    edit QA_team
        set service "ALL"
        set dstintf port1
        set traffic-shaper "500k-1000k-1500k"
        set traffic-shaper-reverse "500k-1000k-1500k"
        set srcaddr "QA_team"
        set dstaddr "all"
    next
end
    Previous
    Next

    Multi-stage DSCP marking and class ID in traffic shapers

    Multi-stage DSCP marking and class ID in traffic shapers

    Traffic shapers have a multi-stage method so that packets are marked with a different differentiated services code point (DSCP) and class id at different traffic speeds. Marking packets with a different DSCP code is for the next hop to classify the packets. The FortiGate benefits by marking packets with a different class id. Combined with the egress interface shaping profile, the FortiGate can handle the traffic differently according to its class id.

    Rule

    DSCP code

    Class ID

    speed < guarantee bandwidth

    diffservcode

    class id in shaping policy

    guarantee bandwidth < speed < exceed bandwidth

    exceed-dscp

    exceed-class-id

    exceed bandwidth < speed

    maximum-dscp

    exceed-class-id

    This example sets the following parameters:

    • When the current bandwidth is less than 50 Kbps, mark packets with diffservcode 100000 and set class id to 10.
    • When the current bandwidth is between 50 Kbps and 100 Kbps, mark packets with exceed-dscp 111000 and set exceed-class-id to 20.
    • When the current bandwidth is more than 100 Kbps, mark packets with maximum-dscp 111111 and set exceed-class-id to 20.
    To set multi-stage DSCP marking and class ID in a traffic shaper:
    config firewall shaper traffic-shaper
    edit "50k-100k-150k"
        set guaranteed-bandwidth 50
        set maximum-bandwidth 150
        set diffserv enable
        set dscp-marking-method multi-stage
        set exceed-bandwidth 100 
        set exceed-dscp 111000      
        set exceed-class-id 20
        set maximum-dscp 111111
        set diffservcode 100000
    next
end
    config firewall shaping-policy
     edit 1
         set service "ALL"
         set dstintf PORT2
         set srcaddr "all"
         set dstaddr "all"
         set class-id 10
     next
end

    Traffic shapers also have an overhead option that defines the per-packet size overhead used in rate computation.

    To set the traffic shaper overhead option:
    config firewall shaper traffic-shaper
    edit "testing"
        set guaranteed-bandwidth 50
        set maximum-bandwidth 150
        set overhead 14 <range from 0 to 100>
    next
end

    Example

    This example shows how to mark QA traffic with a different DSCP according to real-time traffic speed.

    To configure the firewall address:
    config firewall address
    edit QA_team
        set subnet 10.1.100.0/24
    next
end
    To configure the firewall shaper traffic shaper:
    config firewall shaper traffic-shaper
    edit "500k-1000k-1500k"
        set guaranteed-bandwidth 500
        set maximum-bandwidth 1500
        set diffserv enable
        set dscp-marking-method multi-stage
        set exceed-bandwidth 1000
        set exceed-dscp 111000
        set maximum-dscp 111111
        set diffservcode 100000
    next
end
    config firewall shaping-policy
    edit QA_team
        set service "ALL"
        set dstintf port1
        set traffic-shaper "500k-1000k-1500k"
        set traffic-shaper-reverse "500k-1000k-1500k"
        set srcaddr "QA_team"
        set dstaddr "all"
    next
end
    Previous
    Next