Created on 12-14-2007 12:00 AM
Description | This article illustrates behaviors of differentiated services code points (DSCP) for traffic between a computer and a FortiGate unit, or between a computer and another computer, through one or more FortiGate units. | ||||||||||||||||||||||||||||||||||||
Components |
| ||||||||||||||||||||||||||||||||||||
Note about using a protection profile | The examples given hereafter are without protection profile enabled on the Firewall Policy. If a protection profile is enabled, the FortiGate acting as a transparent proxy will create a new TCP session from itself to the destination device where the IP Packets have the DSCP field set to 0. | ||||||||||||||||||||||||||||||||||||
Introduction about DSCP | Differentiated Services describes a set of end-to-end Quality of Service (QoS) capabilities. End-to-end QoS is the ability of a network to deliver service required by specific network traffic from one end of the network to another. By configuring differentiated services, you configure your network to deliver particular levels of service for different packets based on the QoS specified by each packet. Differentiated Services (also called DiffServ) is defined by RFC 2474 and 2475 as enhancements to IP networking to enable scalable service discrimination in the IP network without the need for per-flow state and signaling at every hop. Routers that can understand differentiated services sort IP traffic into classes by inspecting the DS field in IPv4 header or the Traffic Class field in the IPv6 header. You can use the FortiGate Differentiated Services feature to change the DSCP (Differentiated Services Code Point) value for all packets accepted by a policy. The network can use these DSCP values to classify, mark, shape, and police traffic, and to perform intelligent queuing. DSCP features are applied to traffic by configuring the routers on your network to apply different service levels to packets depending on the DSCP value of the packet. If the differentiated services feature is disabled, FortiGate units treat traffic as if
the DSCP value is set to the default ( FortiGate units apply the DSCP value to the differentiated services (formerly TOS) field in the first word of the IP header.
The typical first word of an IP header, with the default DSCP value, is
You can change the packet's DSCP field for traffic initiating a session (forward) or for reply traffic (reverse). You can enable each direction separately and configure it in the firewall policy. Note: Changes to DSCP values in a firewall policy effect new sessions. If traffic must use the new DSCP values immediately, clear all existing sessions. | ||||||||||||||||||||||||||||||||||||
Example 1 | In this example, an ICMP ping is executed between PC A and PC B, through FortiGate A. DSCP is disabled on both FortiGate A and FortiGate B, so neither FortiGate unit changes the IP headers' DSCP value. The default binary DSCP value If you performed an ICMP ping between PC A and PC B, the following would illustrate the IP headers observed for the request and the reply by sniffers on each of FortiGate A's and FortiGate B's network interfaces. The rightmost two digits of each IP header are the TOS field, which contains the DSCP value.
| ||||||||||||||||||||||||||||||||||||
Example 2 | In this example, an ICMP ping is executed between PC A and FortiGate B, through FortiGate A. DSCP is disabled on FortiGate B, but FortiGate A contains the following configuration exerpts: config firewall policy As a result, FortiGate A changes the DSCP field for outgoing traffic, but not to its reply traffic. The binary DSCP values in this configuration map to the following hexadecimal TOS field values, which are observable by a sniffer (also known as a packet tracer):
If you performed an ICMP ping between PC A and PC B, the following would illustrate the IP headers observed for the request and the reply by sniffers on each of FortiGate A's and FortiGate B's network interfaces. The rightmost two digits of each IP header are the TOS field, which contains the DSCP value.
| ||||||||||||||||||||||||||||||||||||
Example 3 | In this example, an ICMP ping is executed between PC A and FortiGate B, through FortiGate A. DSCP is disabled on FortiGate B, but FortiGate A contains the following configuration exerpts: config firewall policy As a result, FortiGate A changes the DSCP field for both outgoing traffic and its reply traffic. The binary DSCP values in this configuration map to the following hexadecimal TOS field values, which are observable by a sniffer (also known as a packet tracer):
If you performed an ICMP ping between PC A and PC B, the following would illustrate the IP headers observed for the request and the reply by sniffers on each of FortiGate A's and FortiGate B's network interfaces. The rightmost two digits of each IP header are the TOS field, which contains the DSCP value.
| ||||||||||||||||||||||||||||||||||||
Example 4 | In this example, an ICMP ping is executed between PC A and FortiGate B, through FortiGate A. DSCP is enabled for both traffic directions on FortiGate A, but enabled only for reply traffic on FortiGate B. FortiGate A contains the following configuration exerpts: config firewall policy FortiGate B contains the following configuration exerpts: config firewall policy As a result, FortiGate A changes the DSCP field for both outgoing traffic and its reply traffic, but FortiGate B changes the DSCP field only for reply traffic. The binary DSCP values in this configuration map to the following hexadecimal TOS field values, which are observable by a sniffer (also known as a packet tracer):
If you performed an ICMP ping between PC A and PC B, the following would illustrate the IP headers observed for the request and the reply by sniffers on each of FortiGate A's and FortiGate B's network interfaces. The rightmost two digits of each IP header are the TOS field, which contains the DSCP value.
| ||||||||||||||||||||||||||||||||||||
Example 5 | In this example, HTTPS and DNS traffic is sent from PC A to FortiGate B, through FortiGate A. DSCP is enabled for both traffic directions on FortiGate A, but enabled only for reply traffic on FortiGate B. FortiGate A contains the following configuration exerpts: config firewall policy FortiGate B contains the following configuration exerpts: config firewall policy As a result, FortiGate A changes the DSCP field for both outgoing traffic and its reply traffic, but FortiGate B changes the DSCP field only for reply traffic which passes through its internal interface. Since the example traffic does not pass through the internal interface, FortiGate B does not mark the packets. The binary DSCP values in this configuration map to the following hexadecimal TOS field values, which are observable by a sniffer (also known as a packet tracer):
If you sent HTTPS or DNS traffic from PC A to FortiGate B, the following would illustrate the IP headers observed for the request and the reply by sniffers on each of FortiGate A's and FortiGate B's network interfaces. The rightmost two digits of each IP header are the TOS field, which contains the DSCP value.
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.