Skip to main content
fquerzo_FTNT
Staff
fquerzo_FTNT
Staff
June 29, 2021

Technical Tip: CoS marking for the self-originated traffic

  • June 29, 2021
  • 0 replies
  • 4307 views

Description

 

This article describes how to apply CoS marking for the self-originated traffic.

 

Scope

 

FortiGate.

Solution


CoS mapping on the FortiOS can be configured on a firewall policy.
Any traffic matching that specific policy will be marked with the appropriate CoS values.

CoS carking have to be configured via cli for a specific firewall policy:

 

config firewall {policy | policy6}
    set vlan-cos-fwd <int>
    set vlan-cos-rev <int>
end

 

The command vlan-cos-fwd is used to change the CoS in the original direction of the session, while vlan-cos-rev is used to change it in the reply direction.

 

In some cases, the CoS marking must be applied for the FortiOS self-originated traffic.

This can be achieved by following these steps:

  1. Configure two VDOMs on the FortiGate: One in transparent mode (TRANSPARENT_VDOM) and the second in NAT mode (can use the root VDOM).
  2. Configure inter VDOM links between these two VDOMS . Do not configure IP addressing in this step.
  3. Assign PORT1 interface to root VDOM.
  4. Assign WAN interface to the TRANSPARENT_VDOM.
  5. Place the root VDOM behind the TRANSPARENT_VDOM, so the root VDOM will be connecting to the Internet via TRANSPARENT_VDOM. The network diagram should be like this:

 

LAN----root vdom-[inter vdom interface] --- [inter vdom interface]-TRANSPARENT_VDOM-----Internet_gateway

 

  1. Assume that the ISP has provided a static public IP address and it has to assigned to the FortiGate. With the current setup, that public IP address will have to be assigned to the inter VDOM interface on the root VDOM.

 

Public IP address is x.y.z.5/30
Default gateway is x.y.z.6/30

 

Diagram with IP addressing should be like:

 

LAN—[port1:10.0.0.1/24]- root vdom – [inter vdom interface:x.y.z.5/30] – [inter vdom interface:no_ip_address]-TRANSPARENT_VDOM-[wan1:no_ip_address]---[ x.y.z.6/30]-Internet_gateway

 

  1. Create a firewall policy on the TRANSPARENT_VDOM, which would allow traffic from the Inter VDOM link to the WAN interface.
  2. Configured CoS marking on that firewall policy.
  3. Once it is done, switch to the root VDOM, and configure the policies from the LAN to the inert VDOM link in order to provide Internet connectivity for the LAN.
  4. Be sure to check if the root VDOM is the management VDOM so all of the self-originated traffic will egress from the root VDOM.
Terms & ConditionsAccessibility statement