Technical Note : Differentiated Services Code Point (DSCP) processing through a FortiGate

• All FortiOS

Differentiated Services describes a set of end-to-end Quality of Service (QoS) capabilities. End-to-end QoS is the ability of a network to deliver service required by specific network traffic from one end of the network to another. By configuring differentiated services, you configure your network to deliver particular levels of service for different packets based on the QoS specified by each packet.

Differentiated Services (also called DiffServ) is defined by RFC 2474 and 2475 as enhancements to IP networking to enable scalable service discrimination in the IP network without the need for per-flow state and signaling at every hop. Routers that can understand differentiated services sort IP traffic into classes by inspecting the DS field in IPv4 header or the Traffic Class field in the IPv6 header.

You can use the FortiGate Differentiated Services feature to change the DSCP (Differentiated Services Code Point) value for all packets accepted by a policy. The network can use these DSCP values to classify, mark, shape, and police traffic, and to perform intelligent queuing. DSCP features are applied to traffic by configuring the routers on your network to apply different service levels to packets depending on the DSCP value of the packet.

If the differentiated services feature is disabled, FortiGate units treat traffic as if the DSCP value is set to the default (00), and do not change IP packets' DSCP field. DSCP values are also not applied to traffic if the traffic originates from a FortiGate unit itself.

FortiGate units apply the DSCP value to the differentiated services (formerly TOS) field in the first word of the IP header. The typical first word of an IP header, with the default DSCP value, is 4500:

• 4 for IPv4
• 5 for a length of five words
• 00 for the default DSCP value

You can change the packet's DSCP field for traffic initiating a session (forward) or for reply traffic (reverse). You can enable each direction separately and configure it in the firewall policy.

Note: Changes to DSCP values in a firewall policy effect new sessions. If traffic must use the new DSCP values immediately, clear all existing sessions.

In this example, an ICMP ping is executed between PC A and PC B, through FortiGate A. DSCP is disabled on both FortiGate A and FortiGate B, so neither FortiGate unit changes the IP headers' DSCP value.

The default binary DSCP value 000000 maps to the hexadecimal TOS field value 0x00, which is observable by a sniffer (also known as a packet tracer).

If you performed an ICMP ping between PC A and PC B, the following would illustrate the IP headers observed for the request and the reply by sniffers on each of FortiGate A's and FortiGate B's network interfaces. The rightmost two digits of each IP header are the TOS field, which contains the DSCP value.

In this example, an ICMP ping is executed between PC A and FortiGate B, through FortiGate A. DSCP is disabled on FortiGate B, but FortiGate A contains the following configuration exerpts:

config firewall policy
   edit 0
      set srcintf "port6"
      set dstintf "port3"
      set src addr "all"
      set dstaddr "all"
      set action accept
      set schedule "always"
      set service "ANY"
      set diffserv-forward enable
      set diffservcode-forward 101110
   end

As a result, FortiGate A changes the DSCP field for outgoing traffic, but not to its reply traffic.

The binary DSCP values in this configuration map to the following hexadecimal TOS field values, which are observable by a sniffer (also known as a packet tracer):

• DSCP 000000 is TOS field 0x00
• DSCP 101110 is TOS field 0xb8, the recommended DSCP value for expedited forwarding (EF)

If you performed an ICMP ping between PC A and PC B, the following would illustrate the IP headers observed for the request and the reply by sniffers on each of FortiGate A's and FortiGate B's network interfaces. The rightmost two digits of each IP header are the TOS field, which contains the DSCP value.

In this example, an ICMP ping is executed between PC A and FortiGate B, through FortiGate A. DSCP is disabled on FortiGate B, but FortiGate A contains the following configuration exerpts:

config firewall policy
   edit 0
      set srcintf "port6"
      set dstintf "port3"
      set src addr "all"
      set dstaddr "all"
      set action accept
      set schedule "always"
      set service "ANY"
      set diffserv-forward enable
      set diffserv-rev enable
      set diffservcode-forward 101110
      set diffservcode-rev 101111
   end

As a result, FortiGate A changes the DSCP field for both outgoing traffic and its reply traffic.

The binary DSCP values in this configuration map to the following hexadecimal TOS field values, which are observable by a sniffer (also known as a packet tracer):

• DSCP 000000 is TOS field 0x00
• DSCP 101110 is TOS field 0xb8, the recommended DSCP value for expedited forwarding (EF)
• DSCP 101111 is TOS field 0xbc

If you performed an ICMP ping between PC A and PC B, the following would illustrate the IP headers observed for the request and the reply by sniffers on each of FortiGate A's and FortiGate B's network interfaces. The rightmost two digits of each IP header are the TOS field, which contains the DSCP value.

In this example, an ICMP ping is executed between PC A and FortiGate B, through FortiGate A. DSCP is enabled for both traffic directions on FortiGate A, but enabled only for reply traffic on FortiGate B.

FortiGate A contains the following configuration exerpts:

config firewall policy
   edit 0
      set srcintf "port6"
      set dstintf "port3"
      set src addr "all"
      set dstaddr "all"
      set action accept
      set schedule "always"
      set service "ANY"
      set diffserv-forward enable
      set diffserv-rev enable
      set diffservcode-forward 101110
      set diffservcode-rev 101111
   end

FortiGate B contains the following configuration exerpts:

config firewall policy
   edit 0
      set srcintf "wan2"
      set dstintf "internal"
      set src addr "all"
      set dstaddr "all"
      set action accept
      set schedule "always"
      set service "ANY"
      set diffserv-rev enable
      set diffservcode-rev 101101
   end

As a result, FortiGate A changes the DSCP field for both outgoing traffic and its reply traffic, but FortiGate B changes the DSCP field only for reply traffic.

The binary DSCP values in this configuration map to the following hexadecimal TOS field values, which are observable by a sniffer (also known as a packet tracer):

• DSCP 000000 is TOS field 0x00
• DSCP 101101 is TOS field 0xb4
• DSCP 101110 is TOS field 0xb8, the recommended DSCP value for expedited forwarding (EF)
• DSCP 101111 is TOS field 0xbc

If you performed an ICMP ping between PC A and PC B, the following would illustrate the IP headers observed for the request and the reply by sniffers on each of FortiGate A's and FortiGate B's network interfaces. The rightmost two digits of each IP header are the TOS field, which contains the DSCP value.

In this example, HTTPS and DNS traffic is sent from PC A to FortiGate B, through FortiGate A. DSCP is enabled for both traffic directions on FortiGate A, but enabled only for reply traffic on FortiGate B.

FortiGate A contains the following configuration exerpts:

config firewall policy
   edit 0
      set srcintf "port6"
      set dstintf "port3"
      set src addr "all"
      set dstaddr "all"
      set action accept
      set schedule "always"
      set service "ANY"
      set diffserv-forward enable
      set diffserv-rev enable
      set diffservcode-forward 101110
      set diffservcode-rev 101111
   end

FortiGate B contains the following configuration exerpts:

config firewall policy
   edit 0
      set srcintf "wan2"
      set dstintf "internal"
      set src addr "all"
      set dstaddr "all"
      set action accept
      set schedule "always"
      set service "ANY"
      set diffserv-rev enable
      set diffservcode-rev 101101
   end

As a result, FortiGate A changes the DSCP field for both outgoing traffic and its reply traffic, but FortiGate B changes the DSCP field only for reply traffic which passes through its internal interface. Since the example traffic does not pass through the internal interface, FortiGate B does not mark the packets.

The binary DSCP values in this configuration map to the following hexadecimal TOS field values, which are observable by a sniffer (also known as a packet tracer):

• DSCP 000000 is TOS field 0x00
• DSCP 101101 is TOS field 0xb4, which is configured on FortiGate B but not observed by the sniffer because the example traffic originates from the FortiGate unit itself, and therefore does not match that firewall policy
• DSCP 101110 is TOS field 0xb8, the recommended DSCP value for expedited forwarding (EF)
• DSCP 101111 is TOS field 0xbc

If you sent HTTPS or DNS traffic from PC A to FortiGate B, the following would illustrate the IP headers observed for the request and the reply by sniffers on each of FortiGate A's and FortiGate B's network interfaces. The rightmost two digits of each IP header are the TOS field, which contains the DSCP value.