Description
This article talks about configuring Differentiated Services Code Point (DSCP) marking on FortiGate units.
Solution
Differentiated Services (also called DiffServ) is defined by RFC2474 and RFC2475 as enhancements to IP networking to enable scalable service discrimination in the IP network without the need for per-flow state and signaling at every hop.
Routers that can understand differentiated services sort IP traffic into classes by inspecting the DS field in IPv4 header or the traffic class field in the IPv6 header.
FortiGate Differentiated Services feature can be used to change the DSCP (Differentiated Services Code Point) value for all packets accepted by a policy.
The network can use these DSCP values to classify, mark, shape, and police traffic, and to perform intelligent queuing.
DSCP features are applied to traffic by configuring the FortiGate to apply different service levels to packets depending on the DSCP value of the packet.
If the differentiated services feature is not enabled, the FortiGate unit treats traffic as if the DSCP value is set to the default (CS0), and will not change IP packets' DSCP field.
DSCP values are also not applied to traffic if the traffic originates from a FortiGate unit itself.
The packet's DSCP field for traffic initiating a session (forward) or for reply traffic (reverse) can be changed and enabled in each direction separately by configuring it in the firewall policy.
Changes to DSCP values in a firewall policy affect new sessions.
If traffic must use the new DSCP values immediately, it is advised to clear all existing sessions.
DSCP is enabled using the CLI command.
# config firewall policy
edit <policy_number>
...
set diffserv-forward enable
set diffservcode-forward <binary_integer>
set diffserv-reverse enable
set diffservcode-rev <binary_integer>
end
DSCP is a number in the range from decimal value 0 to 63 that is placed into an IP packet to mark it according to the class of traffic it belongs in.
The following table defines the relationship between service classes and DSCP markings.
Consider an example where an ICMP echo request is sent from a host to a public DNS server 4.2.2.2.
On FortiGate, DSCP is enabled in both directions.
The firewall policy on FortiGate is as follows.
If the sniffer is taken on outbound 'wan2' interface, a wireshark capture will show that traffic is marked as AF31(011010) for outbound traffic.
# config firewall policyAccording to the firewall policy, FortiGate changes the DSCP field for both outgoing traffic and its reply traffic.
edit 1
set srcintf port1
set dstintf wan2
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ALL
set diffserv-forward enable
set diffservcode-forward 011010
set diffserv-rev enable
set diffservcode-rev 011010
next
end
If the sniffer is taken on outbound 'wan2' interface, a wireshark capture will show that traffic is marked as AF31(011010) for outbound traffic.
# diag sniffer packet wan2 “ping 4.2.2.2 and icmp” 6 0 a
However, the incoming traffic on wan2 interface is still marked as CS0 (best effort).This is expected as marking is applied on port1 interface for incoming traffic.If the sniffer is taken on 'port1' interface, the default marking is applied for outbound traffic as marking is applied for reverse traffic.
# diag sniffer packet port1 “ping 4.2.2.2 and icmp” 6 0 a
However, the traffic is marked as AF31 for inbound traffic.DSCP marking can also be configured in firewall shaping policies and has the same logic as in firewall policy.
config firewall shaping-policy
edit <id>
set service "ALL"
set dstintf "virtual-wan-link"
set srcaddr "all"
set dstaddr "all"
set diffservcode-forward 011010
set diffservcode-rev 011010
next
end
Related links.
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/459043/configuring-differentiated-servic...
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-traffic-shaping-54/TS_Configuration/...
https://tools.ietf.org/html/rfc4594
