DSCP matching and DSCP marking
This section includes:
- DSCP matching in firewall policies
- DSCP matching in firewall shaping policies
- DSCP marking in firewall shaping policies
- DSCP marking for self-generated traffic
DSCP matching in firewall policies
Traffic is allowed or blocked according to the Differentiated Services Code Point (DSCP) values in the incoming packets.
The following CLI variables are available in the config firewall policy
command:
tos-mask <mask_value> |
Non-zero bit positions are used for comparison. Zero bit positions are ignored (default = 0x00). This variable replaces the |
tos <tos_value> |
Type of Service (ToC) value that is used for comparison (default = 0x00). This variable is only available when This variable replaces the |
tos-negate {enable | disable} |
Enable/disable negated ToS match (default = disable). This variable is only available when This variable replaces the |
DSCP matching in firewall shaping policies
Shaping is applied to the session or not according to the DSCP values in the incoming packets. The same logic and commands as in firewall policies are used.
DSCP marking in firewall shaping policies
Traffic is allowed or blocked according to the DSCP values in the incoming packets. DSCP marking in firewall shaping policies uses the same logic and commands as in firewall policy and traffic-shaper.
When DSCP marking on firewall shaper traffic-shaper
, firewall shaping-policy
, and firewall policy
all apply to the same session, shaping-policy
overrides policy
, and shaper traffic-shaper
overrides both shaping-policy
and policy
.
The following CLI variables in config firewall policy
are used to mark the packets:
diffserv-forward {enable | disable} |
Enable/disable changing a packet's DiffServ values to the value specified in |
diffservcode-forward <dscp_value> |
The value that packet's DiffServ is set to (default = 000000). This variable is only available when |
diffserv-reverse {enable | disable} |
Enable/disable changing a packet's reverse (reply) DiffServ values to the value specified in |
diffservcode-rev <dscp_value> |
The value that packet's reverse (reply) DiffServ is set to (default = 000000). This variable is only available when |
The following topology is used in the examples:
Example 1
FortiGate A marks traffic from the sales and QA teams with different DSCP values. FortiGate B does DSCP matching, allowing only the sales team to access the database.
- Configure FortiGate A:
config firewall policy edit 1 set srcintf "port2" set dstintf "port3" set srcaddr "QA" set dstaddr "all" set action accept set schedule "always" set service "ALL" set diffserv-forward enable set diffservcode-forward 110000 set nat enable next edit 5 set srcintf "port2" set dstintf "port3" set srcaddr "Sales" set dstaddr "all" set action accept set schedule "always" set service "ALL" set diffserv-forward enable set diffservcode-forward 111011 set nat enable next end
- Configure FortiGate B:
config firewall policy edit 2 set srcintf "port3" set dstintf "port1" set srcaddr "all" set dstaddr "Database" set action accept set schedule "always" set service "ALL" set tos-mask 0xf0 set tos 0xe0 set fsso disable set nat enable next end
Example 2
FortiGate A marks traffic from the sales and QA teams with different DSCP values. FortiGate B uses a firewall shaping policy to do the DSCP matching, limiting the connection speed of the sales team to the database to 10MB/s.
- Configure FortiGate A:
config firewall policy edit 1 set srcintf "port2" set dstintf "port3" set srcaddr "QA" set dstaddr "all" set action accept set schedule "always" set service "ALL" set diffserv-forward enable set diffservcode-forward 110000 set nat enable next edit 5 set srcintf "port2" set dstintf "port3" set srcaddr "Sales" set dstaddr "all" set action accept set schedule "always" set service "ALL" set diffserv-forward enable set diffservcode-forward 111011 set nat enable next end
- Configure FortiGate B:
config firewall policy edit 2 set srcintf "port3" set dstintf "port1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat enable next end config firewall shaper traffic-shaper edit "10MB/s" set guaranteed-bandwidth 60000 set maximum-bandwidth 80000 next end config firewall shaping-policy edit 1 set service "ALL" set dstintf "port1" set tos-mask 0xf0 set tos 0xe0 set traffic-shaper "10MB/s" set srcaddr "all" set dstaddr "all" next end
Example 3
FortiGate A has a traffic shaping policy to mark traffic from the QA team with a DSCP value of 100000, while reverse traffic is marked with 000011.
- Configure FortiGate A:
config firewall shaping-policy edit 1 set name "QA Team 50MB" set service "ALL" set dstintf "port3" set traffic-shaper "50MB/s" set traffic-shaper-reverse "50MB/s" set diffserv-forward enable set diffserv-reverse enable set srcaddr "QA" set dstaddr "all" set diffservcode-forward 100000 set diffservcode-rev 000011 next end
DSCP marking for self-generated traffic
FortiOS supports DSCP and VLAN CoS marking for both local-in and local-out traffic.
Most network providers often require that both application traffic and FortiGate self-generated traffic must be marked with specific DSCP values to ensure efficient traffic management and quality of service (QoS). FortiOS DSCP marking ensures that self-generated traffic complies with the network's standards. This enables the FortiGate to operate as a fully functional Customer Premises Equipment (CPE) that is capable of directly connecting to the provider's network without a CPE router.
To configure DSCP and VLAN CoS for local-in traffic:
-
Configure the traffic shaper with bandwidth settings and the DSCP and VLAN CoS mark:
config firewall shaper traffic-shaper edit "test-shaper-300kbps" set guaranteed-bandwidth 30 set maximum-bandwidth 300 set per-policy enable set diffserv enable set cos-marking enable set cos 001 set diffservcode 000001 next end
-
Configure the shaping policy for local-in traffic:
config firewall shaping-policy edit 2 set traffic-type local-in set service "ALL" set traffic-shaper-reverse "test-shaper-300kbps" set class-id 2 set srcaddr "all" set dstaddr "all" next end
-
Verify that the shaper was successfully applied to the shaping policy:
# diagnose firewall iprope list 100018 policy index=2 uuid_idx=926 action=accept flag (0): schedule(always) shapers: reply=test-shaper-300kbps(2/3750/37500) cos_fwd=255 cos_rev=255 group=00100018 av=00000000 au=00000000 split=00000000 host=2 chk_client_info=0x0 app_list=0 ips_view=0 misc=0 zone(1): 0 -> zone(1): 0 source(1): 0.0.0.0-255.255.255.255, uuid_idx=799, dest(1): 0.0.0.0-255.255.255.255, uuid_idx=799, service(1): [0:0x0:0/(0,65535)->(0,65535)] flags:0 helper:auto class_id: 2
-
Test local-in traffic from the PC to the FortiGate.
-
Check the session list:
# diagnose sys session list session info: proto=17 proto_state=01 duration=9 expire=179 timeout=0 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=3 origin-shaper= reply-shaper=test-shaper-300kbps prio=2 guarantee 3750Bps max 37500Bps traffic 7881Bps drops 651B per_ip_shaper= class_id=2 shaping_policy_id=2 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/1 state=local may_dirty rs statistic(bytes/packets/allow_err): org=337599/4717/1 reply=342414/4708/1 tuples=2 tx speed(Bps/kbps): 34948/279 rx speed(Bps/kbps): 35446/283 orgin->sink: org pre->in, reply out->post dev=7->48/48->7 gwy=0.0.0.0/0.0.0.0 hook=pre dir=org act=noop 172.16.200.55:58382->172.16.200.2:161(0.0.0.0:0) hook=post dir=reply act=noop 172.16.200.2:161->172.16.200.55:58382(0.0.0.0:0) src_mac=00:0c:29:d6:12:20 misc=0 policy_id=4294967295 pol_uuid_idx=0 auth_info=0 chk_client_info=0 vd=2 serial=0000249b tos=ff/01 app_list=0 app=0 url_cat=0 rpdb_link_id=00000000 ngfwid=n/a npu_state=00000000 no_ofld_reason: local
-
Check the shaper information to verify the DSCP mark and bandwidth limitation:
# diagnose firewall shaper traffic-shaper list | grep test- -A 10 name test-shaper-300kbps maximum-bandwidth 37 KB/sec guaranteed-bandwidth 3 KB/sec current-bandwidth 37 KB/sec priority 2 policy 2 overhead 0 tos 01 packets dropped 10 bytes dropped 725
-
To configure DSCP and VLAN CoS for local-out traffic:
-
Configure the traffic shaper with bandwidth settings and the DSCP and VLAN CoS mark:
config firewall shaper traffic-shaper edit "test-shaper-600kbps" set guaranteed-bandwidth 60 set maximum-bandwidth 600 set per-policy enable set diffserv enable set cos-marking enable set cos 110 set diffservcode 110000 next end
-
Configure the shaping policy for local-out traffic:
config firewall shaping-policy edit 5 set traffic-type local-out set service "ALL" set traffic-shaper "test-shaper-600kbps" set class-id 5 set srcaddr "all" set dstaddr "all" next end
-
Verify that the shaper was successfully applied to the shaping policy:
# diagnose firewall iprope list 100019 policy index=5 uuid_idx=928 action=accept flag (0): schedule() shapers: orig=test-shaper-600kbps(2/7500/75000) cos_fwd=255 cos_rev=255 group=00100019 av=00000000 au=00000000 split=00000000 host=2 chk_client_info=0x0 app_list=0 ips_view=0 misc=0 zone(1): 0 -> zone(1): 0 source(1): 0.0.0.0-255.255.255.255, uuid_idx=799, dest(1): 0.0.0.0-255.255.255.255, uuid_idx=799, service(1): [0:0x0:0/(0,65535)->(0,65535)] flags:0 helper:auto class_id: 5
-
Test local-in traffic from the FortiGate to the remote PC.
-
Check the session list:
# diagnose sys session list session info: proto=6 proto_state=01 duration=4 expire=3599 timeout=3600 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=3 origin-shaper=test-shaper-600kbps prio=2 guarantee 7500Bps max 75000Bps traffic 73557Bps drops 70500B reply-shaper= per_ip_shaper= class_id=5 shaping_policy_id=5 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=6/255 state=log local os statistic(bytes/packets/allow_err): org=85701/60/1 reply=2140/41/1 tuples=2 tx speed(Bps/kbps): 19172/153 rx speed(Bps/kbps): 478/3 orgin->sink: org out->post, reply pre->in dev=48->7/7->48 gwy=0.0.0.0/0.0.0.0 hook=out dir=org act=noop 172.16.200.2:23964->209.52.38.114:5201(0.0.0.0:0) hook=in dir=reply act=noop 209.52.38.114:5201->172.16.200.2:23964(0.0.0.0:0) pos/(before,after) 0/(0,0), 0/(0,0) dst_mac=04:d5:90:5d:ed:fe misc=0 policy_id=0 pol_uuid_idx=0 auth_info=0 chk_client_info=0 vd=2 serial=000152f5 tos=30/ff app_list=0 app=0 url_cat=0 rpdb_link_id=00000000 ngfwid=n/a npu_state=00000000 no_ofld_reason: local
-
Check the shaper information to verify the DSCP mark and bandwidth limitation:
# diagnose firewall shaper traffic-shaper list | grep test- -A 10 name test-shaper-600kbps maximum-bandwidth 75 KB/sec guaranteed-bandwidth 7 KB/sec current-bandwidth 65 KB/sec priority 2 policy 5 overhead 0 tos 30 packets dropped 5086 bytes dropped 1148949
-