# config firewall policyAccording to the firewall policy, FortiGate changes the DSCP field for both outgoing traffic and its reply traffic.
edit 1
set srcintf port1
set dstintf wan2
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ALL
set diffserv-forward enable
set diffservcode-forward 010110
set diffserv-rev enable
set diffservcode-rev 010110
next
end
# config firewall shaping-policyIf the sniffer is taken on outbound 'WAN2' interface on 'FGT-I', a Wireshark capture will show that traffic is not marked as AF23 (010110) for both outbound and inbound traffic.
edit 1
set service "ALL"
set dstintf "FGT-II-VPN"
set traffic-shaper "TS_20M"
set traffic-shaper-reverse "TS_20M"
set srcaddr "all"
set dstaddr "all"
next
end
# config firewall shaper traffic-shaper
edit "TS_20M"
set guaranteed-bandwidth 20000
next
end
FGT5HD-2 (1) # sh fullOnce DSCP marking is configured under shaping policy, the packet capture will show the corresponding marking applied in both directions.
# config firewall shaping-policy
edit 1
set name ''
set comment ''
set status enable
set ip-version 4
set internet-service disable
set internet-service-src disable
set service "ALL"
set schedule ''
set dstintf "FGT5HD-3"
set tos-mask 0x00
set traffic-shaper "TS_20M"
set traffic-shaper-reverse "TS_20M"
set per-ip-shaper ''
unset class-id
set diffserv-forward disable
set diffserv-reverse disable
set srcaddr "all"
set dstaddr "all"
next
end
# config firewall shaping-policy
edit 1
set service "ALL"
set dstintf "FGT5HD-3"
set traffic-shaper "TS_shared_20M_guarantee_High"
set traffic-shaper-reverse "TS_shared_20M_guarantee_High"
set diffserv-forward enable
set diffserv-reverse enable
set srcaddr "all"
set dstaddr "all"
set diffservcode-forward 010110
set diffservcode-rev 010110
next
end
Related Articles
Technical Tip: Differentiated Services Code Point (DSCP) making
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.