Fortinet white logo
Fortinet white logo

Administration Guide

DSCP matching and DSCP marking

DSCP matching and DSCP marking

This section includes:

DSCP matching in firewall policies

Traffic is allowed or blocked according to the Differentiated Services Code Point (DSCP) values in the incoming packets.

The following CLI variables are available in the config firewall policy command:

tos-mask <mask_value>

Non-zero bit positions are used for comparison. Zero bit positions are ignored (default = 0x00).

This variable replaces the dscp-match variable.

tos <tos_value>

Type of Service (ToC) value that is used for comparison (default = 0x00). This variable is only available when tos-mask is not zero.

This variable replaces the dscp-value variable.

tos-negate {enable | disable}

Enable/disable negated ToS match (default = disable). This variable is only available when tos-mask is not zero.

This variable replaces the dscp-negate variable.

DSCP matching in firewall shaping policies

Shaping is applied to the session or not according to the DSCP values in the incoming packets. The same logic and commands as in firewall policies are used.

DSCP marking in firewall shaping policies

Traffic is allowed or blocked according to the DSCP values in the incoming packets. DSCP marking in firewall shaping policies uses the same logic and commands as in firewall policy and traffic-shaper.

When DSCP marking on firewall shaper traffic-shaper, firewall shaping-policy, and firewall policy all apply to the same session, shaping-policy overrides policy, and shaper traffic-shaper overrides both shaping-policy and policy.

The following CLI variables in config firewall policy are used to mark the packets:

diffserv-forward {enable | disable}

Enable/disable changing a packet's DiffServ values to the value specified in diffservcode-forward (default = disable).

diffservcode-forward <dscp_value>

The value that packet's DiffServ is set to (default = 000000). This variable is only available when diffserv-forward is enabled.

diffserv-reverse {enable | disable}

Enable/disable changing a packet's reverse (reply) DiffServ values to the value specified in diffservcode-rev (default = disable).

diffservcode-rev <dscp_value>

The value that packet's reverse (reply) DiffServ is set to (default = 000000). This variable is only available when diffserv-rev is enabled.

The following topology is used in the examples:

Example 1

FortiGate A marks traffic from the sales and QA teams with different DSCP values. FortiGate B does DSCP matching, allowing only the sales team to access the database.

  1. Configure FortiGate A:
    config firewall policy
        edit 1
            set srcintf "port2"
            set dstintf "port3"
            set srcaddr "QA"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set diffserv-forward enable
            set diffservcode-forward 110000
            set nat enable
        next
        edit 5
            set srcintf "port2"
            set dstintf "port3"
            set srcaddr "Sales"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set diffserv-forward enable
            set diffservcode-forward 111011
            set nat enable
        next
    end
  2. Configure FortiGate B:
    config firewall policy
        edit 2
            set srcintf "port3"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "Database"
            set action accept
            set schedule "always"
            set service "ALL"
            set tos-mask 0xf0
            set tos 0xe0
            set fsso disable
            set nat enable
        next
    end

Example 2

FortiGate A marks traffic from the sales and QA teams with different DSCP values. FortiGate B uses a firewall shaping policy to do the DSCP matching, limiting the connection speed of the sales team to the database to 10MB/s.

  1. Configure FortiGate A:
    config firewall policy
        edit 1
            set srcintf "port2"
            set dstintf "port3"
            set srcaddr "QA"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set diffserv-forward enable
            set diffservcode-forward 110000
            set nat enable
        next
        edit 5
            set srcintf "port2"
            set dstintf "port3"
            set srcaddr "Sales"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set diffserv-forward enable
            set diffservcode-forward 111011
            set nat enable
        next
    end
  2. Configure FortiGate B:
    config firewall policy
        edit 2
            set srcintf "port3"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set nat enable
        next
    end
    config firewall shaper traffic-shaper
        edit "10MB/s"
            set guaranteed-bandwidth 60000
            set maximum-bandwidth 80000
        next
    end
    config firewall shaping-policy
        edit 1
            set service "ALL"
            set dstintf "port1"
            set tos-mask 0xf0
            set tos 0xe0
            set traffic-shaper "10MB/s"
            set srcaddr "all"
            set dstaddr "all"
        next
    end

Example 3

FortiGate A has a traffic shaping policy to mark traffic from the QA team with a DSCP value of 100000, while reverse traffic is marked with 000011.

  1. Configure FortiGate A:
    config firewall shaping-policy
        edit 1
            set name "QA Team 50MB"
            set service "ALL"
            set dstintf "port3"
            set traffic-shaper "50MB/s"
            set traffic-shaper-reverse "50MB/s"
            set diffserv-forward enable
            set diffserv-reverse enable
            set srcaddr "QA"
            set dstaddr "all"
            set diffservcode-forward 100000
            set diffservcode-rev 000011
        next
    end

DSCP marking for self-generated traffic

FortiOS supports DSCP and VLAN CoS marking for both local-in and local-out traffic.

Most network providers often require that both application traffic and FortiGate self-generated traffic must be marked with specific DSCP values to ensure efficient traffic management and quality of service (QoS). FortiOS DSCP marking ensures that self-generated traffic complies with the network's standards. This enables the FortiGate to operate as a fully functional Customer Premises Equipment (CPE) that is capable of directly connecting to the provider's network without a CPE router.

To configure DSCP and VLAN CoS for local-in traffic:
  1. Configure the traffic shaper with bandwidth settings and the DSCP and VLAN CoS mark:

    config firewall shaper traffic-shaper
        edit "test-shaper-300kbps"
            set guaranteed-bandwidth 30
            set maximum-bandwidth 300
            set per-policy enable
            set diffserv enable
            set cos-marking enable
            set cos 001
            set diffservcode 000001
        next
    end
  2. Configure the shaping policy for local-in traffic:

    config firewall shaping-policy
        edit 2
            set traffic-type local-in
            set service "ALL"
            set traffic-shaper-reverse "test-shaper-300kbps"
            set class-id 2
            set srcaddr "all"
            set dstaddr "all"
        next
    end
  3. Verify that the shaper was successfully applied to the shaping policy:

    # diagnose firewall iprope list 100018
    policy index=2 uuid_idx=926 action=accept
    flag (0):
    schedule(always)
    shapers: reply=test-shaper-300kbps(2/3750/37500)
    cos_fwd=255  cos_rev=255
    group=00100018 av=00000000 au=00000000 split=00000000
    host=2 chk_client_info=0x0 app_list=0 ips_view=0
    misc=0
    zone(1): 0 -> zone(1): 0
    source(1): 0.0.0.0-255.255.255.255, uuid_idx=799,
    dest(1): 0.0.0.0-255.255.255.255, uuid_idx=799,
    service(1):
            [0:0x0:0/(0,65535)->(0,65535)] flags:0 helper:auto
    class_id: 2
  4. Test local-in traffic from the PC to the FortiGate.

    1. Check the session list:

      # diagnose sys session list
      session info: proto=17 proto_state=01 duration=9 expire=179 timeout=0 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
      origin-shaper=
      reply-shaper=test-shaper-300kbps prio=2 guarantee 3750Bps max 37500Bps traffic 7881Bps drops 651B
      per_ip_shaper=
      class_id=2 shaping_policy_id=2 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/1
      state=local may_dirty rs
      statistic(bytes/packets/allow_err): org=337599/4717/1 reply=342414/4708/1 tuples=2
      tx speed(Bps/kbps): 34948/279 rx speed(Bps/kbps): 35446/283
      orgin->sink: org pre->in, reply out->post dev=7->48/48->7 gwy=0.0.0.0/0.0.0.0
      hook=pre dir=org act=noop 172.16.200.55:58382->172.16.200.2:161(0.0.0.0:0)
      hook=post dir=reply act=noop 172.16.200.2:161->172.16.200.55:58382(0.0.0.0:0)
      src_mac=00:0c:29:d6:12:20
      misc=0 policy_id=4294967295 pol_uuid_idx=0 auth_info=0 chk_client_info=0 vd=2
      serial=0000249b tos=ff/01 app_list=0 app=0 url_cat=0
      rpdb_link_id=00000000 ngfwid=n/a
      npu_state=00000000
      no_ofld_reason:  local
    2. Check the shaper information to verify the DSCP mark and bandwidth limitation:

      # diagnose firewall shaper traffic-shaper list | grep test- -A 10
      name test-shaper-300kbps
      maximum-bandwidth 37 KB/sec
      guaranteed-bandwidth 3 KB/sec
      current-bandwidth 37 KB/sec
      priority 2
      policy 2
      overhead 0
      tos 01
      packets dropped 10
      bytes dropped 725
To configure DSCP and VLAN CoS for local-out traffic:
  1. Configure the traffic shaper with bandwidth settings and the DSCP and VLAN CoS mark:

    config firewall shaper traffic-shaper
        edit "test-shaper-600kbps"
            set guaranteed-bandwidth 60
            set maximum-bandwidth 600
            set per-policy enable
            set diffserv enable
            set cos-marking enable
            set cos 110
            set diffservcode 110000
        next
    end
  2. Configure the shaping policy for local-out traffic:

    config firewall shaping-policy
        edit 5
            set traffic-type local-out
            set service "ALL"
            set traffic-shaper "test-shaper-600kbps"
            set class-id 5
            set srcaddr "all"
            set dstaddr "all"
        next
    end
  3. Verify that the shaper was successfully applied to the shaping policy:

    # diagnose firewall iprope list 100019
    policy index=5 uuid_idx=928 action=accept
    flag (0):
    schedule()
    shapers: orig=test-shaper-600kbps(2/7500/75000)
    cos_fwd=255  cos_rev=255
    group=00100019 av=00000000 au=00000000 split=00000000
    host=2 chk_client_info=0x0 app_list=0 ips_view=0
    misc=0
    zone(1): 0 -> zone(1): 0
    source(1): 0.0.0.0-255.255.255.255, uuid_idx=799,
    dest(1): 0.0.0.0-255.255.255.255, uuid_idx=799,
    service(1):
            [0:0x0:0/(0,65535)->(0,65535)] flags:0 helper:auto
    class_id: 5 
  4. Test local-in traffic from the FortiGate to the remote PC.

    1. Check the session list:

      # diagnose sys session list
      session info: proto=6 proto_state=01 duration=4 expire=3599 timeout=3600 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
      origin-shaper=test-shaper-600kbps prio=2 guarantee 7500Bps max 75000Bps traffic 73557Bps drops 70500B
      reply-shaper=
      per_ip_shaper=
      class_id=5 shaping_policy_id=5 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=6/255
      state=log local os
      statistic(bytes/packets/allow_err): org=85701/60/1 reply=2140/41/1 tuples=2
      tx speed(Bps/kbps): 19172/153 rx speed(Bps/kbps): 478/3
      orgin->sink: org out->post, reply pre->in dev=48->7/7->48 gwy=0.0.0.0/0.0.0.0
      hook=out dir=org act=noop 172.16.200.2:23964->209.52.38.114:5201(0.0.0.0:0)
      hook=in dir=reply act=noop 209.52.38.114:5201->172.16.200.2:23964(0.0.0.0:0)
      pos/(before,after) 0/(0,0), 0/(0,0)
      dst_mac=04:d5:90:5d:ed:fe
      misc=0 policy_id=0 pol_uuid_idx=0 auth_info=0 chk_client_info=0 vd=2
      serial=000152f5 tos=30/ff app_list=0 app=0 url_cat=0
      rpdb_link_id=00000000 ngfwid=n/a
      npu_state=00000000
      no_ofld_reason:  local
    2. Check the shaper information to verify the DSCP mark and bandwidth limitation:

      #  diagnose firewall shaper traffic-shaper list | grep test- -A 10
      name test-shaper-600kbps
      maximum-bandwidth 75 KB/sec
      guaranteed-bandwidth 7 KB/sec
      current-bandwidth 65 KB/sec
      priority 2
      policy 5
      overhead 0
      tos 30
      packets dropped 5086
      bytes dropped 1148949 

Related Videos

sidebar video

Differentiated Services Code Point Matching in Shaping policies

  • 803 views
  • 5 years ago

DSCP matching and DSCP marking

DSCP matching and DSCP marking

This section includes:

DSCP matching in firewall policies

Traffic is allowed or blocked according to the Differentiated Services Code Point (DSCP) values in the incoming packets.

The following CLI variables are available in the config firewall policy command:

tos-mask <mask_value>

Non-zero bit positions are used for comparison. Zero bit positions are ignored (default = 0x00).

This variable replaces the dscp-match variable.

tos <tos_value>

Type of Service (ToC) value that is used for comparison (default = 0x00). This variable is only available when tos-mask is not zero.

This variable replaces the dscp-value variable.

tos-negate {enable | disable}

Enable/disable negated ToS match (default = disable). This variable is only available when tos-mask is not zero.

This variable replaces the dscp-negate variable.

DSCP matching in firewall shaping policies

Shaping is applied to the session or not according to the DSCP values in the incoming packets. The same logic and commands as in firewall policies are used.

DSCP marking in firewall shaping policies

Traffic is allowed or blocked according to the DSCP values in the incoming packets. DSCP marking in firewall shaping policies uses the same logic and commands as in firewall policy and traffic-shaper.

When DSCP marking on firewall shaper traffic-shaper, firewall shaping-policy, and firewall policy all apply to the same session, shaping-policy overrides policy, and shaper traffic-shaper overrides both shaping-policy and policy.

The following CLI variables in config firewall policy are used to mark the packets:

diffserv-forward {enable | disable}

Enable/disable changing a packet's DiffServ values to the value specified in diffservcode-forward (default = disable).

diffservcode-forward <dscp_value>

The value that packet's DiffServ is set to (default = 000000). This variable is only available when diffserv-forward is enabled.

diffserv-reverse {enable | disable}

Enable/disable changing a packet's reverse (reply) DiffServ values to the value specified in diffservcode-rev (default = disable).

diffservcode-rev <dscp_value>

The value that packet's reverse (reply) DiffServ is set to (default = 000000). This variable is only available when diffserv-rev is enabled.

The following topology is used in the examples:

Example 1

FortiGate A marks traffic from the sales and QA teams with different DSCP values. FortiGate B does DSCP matching, allowing only the sales team to access the database.

  1. Configure FortiGate A:
    config firewall policy
        edit 1
            set srcintf "port2"
            set dstintf "port3"
            set srcaddr "QA"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set diffserv-forward enable
            set diffservcode-forward 110000
            set nat enable
        next
        edit 5
            set srcintf "port2"
            set dstintf "port3"
            set srcaddr "Sales"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set diffserv-forward enable
            set diffservcode-forward 111011
            set nat enable
        next
    end
  2. Configure FortiGate B:
    config firewall policy
        edit 2
            set srcintf "port3"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "Database"
            set action accept
            set schedule "always"
            set service "ALL"
            set tos-mask 0xf0
            set tos 0xe0
            set fsso disable
            set nat enable
        next
    end

Example 2

FortiGate A marks traffic from the sales and QA teams with different DSCP values. FortiGate B uses a firewall shaping policy to do the DSCP matching, limiting the connection speed of the sales team to the database to 10MB/s.

  1. Configure FortiGate A:
    config firewall policy
        edit 1
            set srcintf "port2"
            set dstintf "port3"
            set srcaddr "QA"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set diffserv-forward enable
            set diffservcode-forward 110000
            set nat enable
        next
        edit 5
            set srcintf "port2"
            set dstintf "port3"
            set srcaddr "Sales"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set diffserv-forward enable
            set diffservcode-forward 111011
            set nat enable
        next
    end
  2. Configure FortiGate B:
    config firewall policy
        edit 2
            set srcintf "port3"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set nat enable
        next
    end
    config firewall shaper traffic-shaper
        edit "10MB/s"
            set guaranteed-bandwidth 60000
            set maximum-bandwidth 80000
        next
    end
    config firewall shaping-policy
        edit 1
            set service "ALL"
            set dstintf "port1"
            set tos-mask 0xf0
            set tos 0xe0
            set traffic-shaper "10MB/s"
            set srcaddr "all"
            set dstaddr "all"
        next
    end

Example 3

FortiGate A has a traffic shaping policy to mark traffic from the QA team with a DSCP value of 100000, while reverse traffic is marked with 000011.

  1. Configure FortiGate A:
    config firewall shaping-policy
        edit 1
            set name "QA Team 50MB"
            set service "ALL"
            set dstintf "port3"
            set traffic-shaper "50MB/s"
            set traffic-shaper-reverse "50MB/s"
            set diffserv-forward enable
            set diffserv-reverse enable
            set srcaddr "QA"
            set dstaddr "all"
            set diffservcode-forward 100000
            set diffservcode-rev 000011
        next
    end

DSCP marking for self-generated traffic

FortiOS supports DSCP and VLAN CoS marking for both local-in and local-out traffic.

Most network providers often require that both application traffic and FortiGate self-generated traffic must be marked with specific DSCP values to ensure efficient traffic management and quality of service (QoS). FortiOS DSCP marking ensures that self-generated traffic complies with the network's standards. This enables the FortiGate to operate as a fully functional Customer Premises Equipment (CPE) that is capable of directly connecting to the provider's network without a CPE router.

To configure DSCP and VLAN CoS for local-in traffic:
  1. Configure the traffic shaper with bandwidth settings and the DSCP and VLAN CoS mark:

    config firewall shaper traffic-shaper
        edit "test-shaper-300kbps"
            set guaranteed-bandwidth 30
            set maximum-bandwidth 300
            set per-policy enable
            set diffserv enable
            set cos-marking enable
            set cos 001
            set diffservcode 000001
        next
    end
  2. Configure the shaping policy for local-in traffic:

    config firewall shaping-policy
        edit 2
            set traffic-type local-in
            set service "ALL"
            set traffic-shaper-reverse "test-shaper-300kbps"
            set class-id 2
            set srcaddr "all"
            set dstaddr "all"
        next
    end
  3. Verify that the shaper was successfully applied to the shaping policy:

    # diagnose firewall iprope list 100018
    policy index=2 uuid_idx=926 action=accept
    flag (0):
    schedule(always)
    shapers: reply=test-shaper-300kbps(2/3750/37500)
    cos_fwd=255  cos_rev=255
    group=00100018 av=00000000 au=00000000 split=00000000
    host=2 chk_client_info=0x0 app_list=0 ips_view=0
    misc=0
    zone(1): 0 -> zone(1): 0
    source(1): 0.0.0.0-255.255.255.255, uuid_idx=799,
    dest(1): 0.0.0.0-255.255.255.255, uuid_idx=799,
    service(1):
            [0:0x0:0/(0,65535)->(0,65535)] flags:0 helper:auto
    class_id: 2
  4. Test local-in traffic from the PC to the FortiGate.

    1. Check the session list:

      # diagnose sys session list
      session info: proto=17 proto_state=01 duration=9 expire=179 timeout=0 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
      origin-shaper=
      reply-shaper=test-shaper-300kbps prio=2 guarantee 3750Bps max 37500Bps traffic 7881Bps drops 651B
      per_ip_shaper=
      class_id=2 shaping_policy_id=2 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/1
      state=local may_dirty rs
      statistic(bytes/packets/allow_err): org=337599/4717/1 reply=342414/4708/1 tuples=2
      tx speed(Bps/kbps): 34948/279 rx speed(Bps/kbps): 35446/283
      orgin->sink: org pre->in, reply out->post dev=7->48/48->7 gwy=0.0.0.0/0.0.0.0
      hook=pre dir=org act=noop 172.16.200.55:58382->172.16.200.2:161(0.0.0.0:0)
      hook=post dir=reply act=noop 172.16.200.2:161->172.16.200.55:58382(0.0.0.0:0)
      src_mac=00:0c:29:d6:12:20
      misc=0 policy_id=4294967295 pol_uuid_idx=0 auth_info=0 chk_client_info=0 vd=2
      serial=0000249b tos=ff/01 app_list=0 app=0 url_cat=0
      rpdb_link_id=00000000 ngfwid=n/a
      npu_state=00000000
      no_ofld_reason:  local
    2. Check the shaper information to verify the DSCP mark and bandwidth limitation:

      # diagnose firewall shaper traffic-shaper list | grep test- -A 10
      name test-shaper-300kbps
      maximum-bandwidth 37 KB/sec
      guaranteed-bandwidth 3 KB/sec
      current-bandwidth 37 KB/sec
      priority 2
      policy 2
      overhead 0
      tos 01
      packets dropped 10
      bytes dropped 725
To configure DSCP and VLAN CoS for local-out traffic:
  1. Configure the traffic shaper with bandwidth settings and the DSCP and VLAN CoS mark:

    config firewall shaper traffic-shaper
        edit "test-shaper-600kbps"
            set guaranteed-bandwidth 60
            set maximum-bandwidth 600
            set per-policy enable
            set diffserv enable
            set cos-marking enable
            set cos 110
            set diffservcode 110000
        next
    end
  2. Configure the shaping policy for local-out traffic:

    config firewall shaping-policy
        edit 5
            set traffic-type local-out
            set service "ALL"
            set traffic-shaper "test-shaper-600kbps"
            set class-id 5
            set srcaddr "all"
            set dstaddr "all"
        next
    end
  3. Verify that the shaper was successfully applied to the shaping policy:

    # diagnose firewall iprope list 100019
    policy index=5 uuid_idx=928 action=accept
    flag (0):
    schedule()
    shapers: orig=test-shaper-600kbps(2/7500/75000)
    cos_fwd=255  cos_rev=255
    group=00100019 av=00000000 au=00000000 split=00000000
    host=2 chk_client_info=0x0 app_list=0 ips_view=0
    misc=0
    zone(1): 0 -> zone(1): 0
    source(1): 0.0.0.0-255.255.255.255, uuid_idx=799,
    dest(1): 0.0.0.0-255.255.255.255, uuid_idx=799,
    service(1):
            [0:0x0:0/(0,65535)->(0,65535)] flags:0 helper:auto
    class_id: 5 
  4. Test local-in traffic from the FortiGate to the remote PC.

    1. Check the session list:

      # diagnose sys session list
      session info: proto=6 proto_state=01 duration=4 expire=3599 timeout=3600 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
      origin-shaper=test-shaper-600kbps prio=2 guarantee 7500Bps max 75000Bps traffic 73557Bps drops 70500B
      reply-shaper=
      per_ip_shaper=
      class_id=5 shaping_policy_id=5 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=6/255
      state=log local os
      statistic(bytes/packets/allow_err): org=85701/60/1 reply=2140/41/1 tuples=2
      tx speed(Bps/kbps): 19172/153 rx speed(Bps/kbps): 478/3
      orgin->sink: org out->post, reply pre->in dev=48->7/7->48 gwy=0.0.0.0/0.0.0.0
      hook=out dir=org act=noop 172.16.200.2:23964->209.52.38.114:5201(0.0.0.0:0)
      hook=in dir=reply act=noop 209.52.38.114:5201->172.16.200.2:23964(0.0.0.0:0)
      pos/(before,after) 0/(0,0), 0/(0,0)
      dst_mac=04:d5:90:5d:ed:fe
      misc=0 policy_id=0 pol_uuid_idx=0 auth_info=0 chk_client_info=0 vd=2
      serial=000152f5 tos=30/ff app_list=0 app=0 url_cat=0
      rpdb_link_id=00000000 ngfwid=n/a
      npu_state=00000000
      no_ofld_reason:  local
    2. Check the shaper information to verify the DSCP mark and bandwidth limitation:

      #  diagnose firewall shaper traffic-shaper list | grep test- -A 10
      name test-shaper-600kbps
      maximum-bandwidth 75 KB/sec
      guaranteed-bandwidth 7 KB/sec
      current-bandwidth 65 KB/sec
      priority 2
      policy 5
      overhead 0
      tos 30
      packets dropped 5086
      bytes dropped 1148949